On December 28, 2016, New York published a revised version of its proposed “Cybersecurity Requirements for Financial Services Companies” aimed at increasing the requirements and protections for information security, auditing, and reporting for financial institutions doing business within New York state. The regulation was announced on September 13, 2016 as the first-of-its-kind regulation to protect consumers and financial institutions and had intended to go into effect January 1, 2017. However, in response to the 45-day public comment period, a revised version was distributed mere days before the end of the year on December 28, 2016 with an expected implementation date of March 1, 2017.
Although the revised version will be subject to an additional 30-day public comment period, there are a number of key provisions in the current versions that financial institutions should be aware of:
- 500.02. Cybersecurity Program: The required Cybersecurity Program will be based upon the Covered Entity’s Risk Assessment (described in §500.09) and must comply with the items described in §500.02(b):
- identify and assess internal and external cybersecurity risks that may threaten the security or integrity of Nonpublic Information stored on the Covered Entity’s Information Systems;
- use defensive infrastructure and the implementation of policies and procedures to protect the Covered Entity’s Information Systems, and the Nonpublic Information stored on those Information Systems, from unauthorized access, use or other malicious acts;
- detect Cybersecurity Events;
- respond to identified or detected Cybersecurity Events to mitigate any negative effects;
- recover from Cybersecurity Events and restore normal operations and services; and
- fulfill applicable regulatory reporting obligations.
- 500.02(c) allows a Covered Entity to adopt the cybersecurity program of an Affiliate if the Affiliate’s cybersecurity program meets the above requirements and covers the Covered Entity’s information.
- 500.03. Cybersecurity Policy: This section outlines the areas that the Cybersecurity Program should address and is quite expansive, including (but not limited to) information security, data governance, network security and monitoring, physical security and environmental controls, customer data privacy, and incident response.
- 500.05. Penetration Testing and Vulnerability Assessments: The Cybersecurity Program shall include monitoring and testing on a periodic basis, but at a minimum, annual penetration testing based on risks identified in the Covered Entity’s Risk Assessment and bi-annual vulnerability assessments, including the identification of any publicly known cybersecurity vulnerabilities.
- 500.06. Audit Trail: Covered Entities, to the extent applicable based upon its Risk Assessment, will need to maintain for at least five years information to reconstruct material financial transactions and specific audit trails related to Cybersecurity Events.
- 500.08. Application Security: The Cybersecurity Program shall include written procedures, guidelines, and standards governing the development of in-house applications and the testing of externally developed applications.
- 500.09. Risk Assessment: The Risk Assessment will be implemented based upon written policies and procedures and will address the following:
- criteria for the evaluation and categorization of identified cybersecurity risks or threats facing the Covered Entity;
- criteria for the assessment of the confidentiality, integrity, security and availability of the Covered Entity’s Information Systems and Nonpublic Information, including the adequacy of existing controls in the context of identified risks; and
- requirements describing how identified risks will be mitigated or accepted based on the Risk Assessment and how the cybersecurity program will address the risks.
- 500.11. Third Party Service Provider Security Policy: Each Covered Entity must maintain a written policy regarding the security of Information Systems and Nonpublic Information accessible to, or held by, Third Party Service Providers. This includes methods of assessing risks for these providers and outlining minimum cybersecurity practices that each provider must implement.
- 500.12. Multi-Factor Authentication: Any individual that accesses a Covered Entity’s internal network from an external network must use multi-factor authentication unless the Covered Entity’s Chief Information Security Officer (“CISO”) has approved in writing a reasonable alternative with equal or greater secure access controls.
- 500.16. Incident Response Plan: The Cybersecurity Program should include a written incident response plan to respond to, and recover from, Cybersecurity Events that materially affect the confidentiality, integrity, or availability of its Information Systems or the continuing functionality of its business or operations, including:
- the internal processes for responding to a Cybersecurity Event;
- the goals of the incident response plan;
- the definition of clear roles, responsibilities and levels of decision-making authority;
- external and internal communications and information sharing;
- identification of requirements for the remediation of any identified weaknesses in Information Systems and associated controls;
- documentation and reporting regarding Cybersecurity Events and related incident response activities; and
- the evaluation and revision as necessary of the incident response plan following a Cybersecurity Event.
- 500.17. Notices to Superintendent: A Covered Entity must notify the superintendent of the New York State Department of Financial Services (“Superintendent”) within 72 hours from a determination that a Cybersecurity Event has occurred that (1) necessitates reporting to a government body, self-regulatory agency, or any other supervisory body, and (2) has a reasonable likelihood of material harming any material part of the normal operation(s) of the Covered Entity.
Each year by February 15, a Covered Entity must submit to the Superintendent a written certification stating that it is in compliance with these regulations and the steps it has taken to ensure compliance. All documentation and information supporting such compliance should be available for at least five years.
- 500.19. Exemptions: There are a number of exemptions to all or part of these regulations.
- 500.22. Transitional Periods: In general, Covered Entities will have 180 days from March 1, 2017 to comply with these regulations, with certain exceptions identified in §500.22(b) addressing individual sections of these regulations.
The current version of these regulations can be found here and we will continue to monitor any further revisions that occur before March 1, 2017. To ensure that you are aware of any further updates regarding this story or others involving eDiscovery, Data Privacy, and Cybersecurity, please subscribe to the blog.