On Dec. 28, 2016, the New York State Department of Financial Services (NYDFS) published a revised version of its “Cybersecurity Requirements for Financial Services Companies” (the “Regulations”). The revised Regulations preserve the intent and core requirements of the original proposal, issued Sept. 13, 2016, while incorporating certain changes intended to ease compliance burdens raised by some regulated entities during the comment period. These proposed modifications are aimed at enhancing the ability of regulated entities to tailor cybersecurity programs and policies to counter their own particularized risks and threats.
Changes in the Revised Requirements
While the revised Regulations retain most of the content set forth in the proposed rules promulgated last summer, which were summarized in a prior Kramer Levin Alert, there are important modifications of which regulated entities should be aware. Following criticisms that the original rules imposed strict, one-size-fits-all requirements on the variety of businesses that qualify as Covered Entities, some of the Regulations have been relaxed or made more nuanced. Significantly, many of the steps that Covered Entities were previously required to take are now tied to “the Covered Entity’s Risk Assessment.” These changes may afford Covered Entities additional flexibility in implementing the Regulations in a manner appropriate to their business operations and the particular cybersecurity threats presented.
The following list summarizes some of the most significant changes to the Regulations:
- Particularized Risk Assessment: As noted, certain mandated programs and policies are now directly tied to “the Covered Entity’s Risk Assessment.” (500.02(b); 500.03) Covered Entities must conduct a “periodic” Risk Assessment, not necessarily on an annual basis, but as necessary in order to “address changes to the Covered Entity’s Information Systems, Nonpublic Information or business operations” and allow for “revision of controls to respond to technological developments and evolving threats.” Consistent with the more prominent position that the Risk Assessment occupies in the revised Regulations, the Risk Assessment must be robust enough to “inform the design of the cybersecurity program,” and the Regulations outline specific criteria that need to be met. (500.09)
- Nonpublic Information: The definition of Nonpublic Information has been clarified to include only identifying information with one or more of the following: (i) Social security number; (ii) driver’s license number or nondriver card number; (iii) account numbers, including credit or debit card numbers; (iv) security codes, including passwords to financial accounts; or (v) biometrics. (500.01(g)(2))
- Third Party Service Provider (TPSP): A definition has been added to the Regulations, clarifying that in order to qualify as a covered TPSP, the provider must “maintain, process, or otherwise [be] permitted access to Nonpublic Information” through its provision of services. (500.01(n))
- Chief Information Security Officer (CISO): Covered Entities that do not qualify for one of the exemptions remain obligated to designate a qualified individual to serve as a CISO, charged with “overseeing and implementing the Covered Entity’s cybersecurity program and enforcing its cybersecurity policy.” The CISO may be employed by the Covered Entity, an affiliate or a TPSP. The CISO must report to the Covered Entity’s board of directors “or an equivalent governing body” on the cybersecurity program and “material” cybersecurity risks on at least an annual basis. (500.04)
- Penetration Testing: Requirements regarding penetration testing and vulnerability assessments have been honed. Unlike the previously proposed Regulations, the amended Regulations provide that the monitoring and testing “shall include continuous monitoring or periodic penetration testing and vulnerability assessments.” Where effective continuous monitoring is not feasible, certain tests should be conducted annually or biannually. (500.05)
- Audit Trail: The original rule required Covered Entities to maintain an audit trail that allowed “for the complete and accurate reconstruction of all financial transactions and accounting necessary to enable the Covered Entity to detect and respond to a Cybersecurity Event.” The amendment relaxes this requirement by allowing companies to implement systems “designed to reconstruct material financial transactions” and that “include audit trails designed to detect and respond to Cybersecurity Events that have a reasonable likelihood of materially harming any material part of the normal operations of the Covered Entity.” The audit trail systems are also to be implemented “to the extent applicable” and based on the Covered Entity’s Risk Assessment. The retention period for related data has been reduced from six to five years. (500.06)
- TPSP: While the requirements concerning TPSPs remain largely intact, the revised Regulations now direct Covered Entities to “include relevant guidelines for due diligence and/or contractual protections relating to Third Party Service Providers,” in its policies, instead of requiring “preferred provisions” to be “included in contracts with third party service providers.” The “relevant guidelines” include consideration of the TPSP’s policies and procedures regarding encryption and access controls (including multifactor authentication). In addition, they require notice be provided to the Covered Entity in case of a Cybersecurity Event “directly impacting … Nonpublic Information and Information Systems,” as well as “representations and warranties addressing the Third Party Service Provider’s cybersecurity policies and procedures that relate to the security of the Covered Entity’s Information Systems or Nonpublic Information.” (500.11)
- Multi-Factor Authentication: The mandate that Covered Entities use multi-factor authentication or an equivalent level of protection to guard against unauthorized access to Nonpublic Information or Information Systems is now tethered to circumstances in which internal networks are accessed externally, though multi-factor authentication may be appropriate in other contexts, depending on the Covered Entity’s Risk Assessment. (500.12)
- Data Retention/Destruction: The Regulations continue to require Covered Entities to limit the retention of Nonpublic Information. They must have “policies and procedures in place for the secure disposal on a periodic basis” of Nonpublic Information “no longer necessary for business operations or for legitimate business purposes,” unless its preservation is required by law or other regulation or if targeted disposal is not reasonably feasible. (500.13)
- Training and Monitoring: Covered Entities must provide “regular cybersecurity awareness training” for all personnel that reflects the vulnerabilities identified in the Covered Entity’s Risk Assessment. (500.14)
- Encryption: Rather than requiring Covered Entities to “encrypt all Nonpublic Information,” the revised Regulations require that Covered Entities “implement controls, including encryption, to protect Nonpublic Information both in transit and at rest.” If encryption is not feasible for the Covered Entity (the cost and burden of encryption — in transfer and at rest — were among the key concerns raised during the comment period), other “effective alternative compensating controls” over Nonpublic Information are permissible, provided that they are reviewed and approved by the Covered Entity’s CISO at least annually. (500.15)
- Incident Response Plan (IRP): The Regulations concerning the IRP remain mostly unchanged, though they now mandate that the IRP need only address those Cybersecurity Events that may “materially” affect the “confidentiality, integrity or availability of the Covered Entity’s Information Systems or the continuing functionality of any aspect of the Covered Entity’s business operations.” (500.16)
- Notices: In addition to the annual Certification of Compliance that must be submitted to the NYDFS Superintendent (now due on Feb. 15 of each year), Covered Entities must notify the NYDFS Superintendent no later than 72 hours after it has been determined that a Cybersecurity Event has occurred that either (i) must be reported to any other governmental, regulatory or supervisory body or (ii) has a “reasonable likelihood of materially harming any material part of the normal operations of the Covered Entity.” (500.17)
- Confidentiality: The Regulations now include a confidentiality provision that indicates information provided by Covered Entities under the Regulations is subject to exemptions from disclosure under state and federal laws. (500.18)
- Exemptions: The Regulations include modified exemptions that may remove some companies from obligations to comply, but the exemptions remain fairly limited. A notable revision to the exemptions is that small businesses with fewer than 10 employees or independent contractors (instead of Covered Entities with fewer than 1,000 customers per year) are now exempt from most provisions (alongside those with less than $10,000,000 in assets or less than $5,000,000 in gross annual revenue), though such Covered Entities must still maintain a Cybersecurity Program and Cybersecurity Policy. The Regulations also exempt Covered Entities that do not “directly or indirectly operate, maintain, utilize or control any Information Systems,” and that do not “directly or indirectly control, own, access, generate, receive or possess Nonpublic Information.” Covered Entities that qualify for exemptions must file a Notice of Exemption with the Superintendent. (500.19)
- Effective Date: The effective date of the Regulations has been pushed back to March 1, 2017. Covered Entities must supply their first annual Certification of Compliance to NYDFS by Feb. 15, 2018. (500.21)
- Transitional Periods: The revised Regulations provide not only the original 180-day transition period, but also grant longer transitional periods for implementation of specific parts of the Regulations. (500.22)
A More Flexible but Still Demanding Regulatory Framework
With the Dec. 28 revisions, the NYDFS has modified the compliance burden imposed by the Regulations by introducing more flexible language into some of the requirements and directing Covered Entities to calibrate the parameters of their cybersecurity programs to the results of a Risk Assessment. Nonetheless, the core requirements contained in the original version of the Regulations have been preserved. As a result, banks, insurance companies and financial services companies regulated under the corresponding New York laws that do not qualify for the limited exemptions must assess their cybersecurity vulnerabilities on an ongoing basis, take proactive measures to address them and certify that they have done so to the NYDFS.
Following the end of a 30-day notice and public comment period on Jan. 27, 2017, the revised Regulations are presently scheduled to become effective March 1, 2017.