The 180-day transitional period under the New York Department of Financial Services (NYDFS) Cybersecurity Requirements for Financial Services Companies is set to expire Aug. 28, 2017. Financial services companies must achieve compliance with the cybersecurity regulations prior to this deadline or face substantial monetary penalties and reputational harm.
Cybersecurity Regulation Overview
The cybersecurity regulations became effective March 1, 2017. In its official introduction to the regulations (23 NYCRR 500), NYDFS observed that the financial services industry has become a significant target of cybersecurity threats and that cybercriminals can cause large financial losses for both financial institutions and their customers whose private information may be stolen for illicit purposes. Given the seriousness of this risk, NYDFS determined that certain regulatory minimum standards were warranted but avoided being overly prescriptive, to allow cybersecurity programs to match the relevant risks and keep pace with technological advances.
The cybersecurity regulations require each financial services company regulated by NYDFS to assess its specific risk profile and design a program that addresses its risks in a robust fashion. The required risk assessment, however, is not intended to permit a cost-benefit analysis of acceptable losses where an institution faces cybersecurity risks. Senior management must be responsible for an organization’s cybersecurity program and file an annual certification confirming compliance with the regulations. A regulated entity’s cybersecurity program must ensure the safety and soundness of the institution and protect its customers.
NYDFS has issued a clear warning of its intent to pursue strong enforcement of the cybersecurity regulations: “It is critical for all regulated institutions that have not yet done so to move swiftly and urgently to adopt a cybersecurity program and for all regulated entities to be subject to minimum standards with respect to their programs. The number of cyber events has been steadily increasing and estimates of potential risk to our financial services industry are stark. Adoption of the program outlined in these regulations is a priority for New York State.”
The cybersecurity regulation applies to any organization operating under, or required to operate under, an NYDFS license, registration, charter, certificate, permit, accreditation, or similar authorization under the New York Banking Law, Insurance Law or Financial Services Law. Entities regulated by NYDFS include the following:
- Commercial banks and trust companies
- Check cashers
- Domestic and foreign representative bank offices
- Health insurers
- Life insurance companies
- Money transmitters
- Mortgage brokers, loan originators and loan servicers
- Property and casualty insurance companies
- Sales finance companies
- Service contract providers
Financial services companies that are subject to the cybersecurity regulations must take the following actions by Aug. 28, 2017.
- Cybersecurity program and documentation. Implement, document and maintain a cybersecurity program that performs the following core cybersecurity functions: (1) identify and assess internal and external cybersecurity risks to any nonpublic information stored on the company’s information systems; (2) use defensive infrastructure to protect the company’s information systems from unauthorized access or other malicious acts; (3) detect cybersecurity events; (4) respond to and mitigate the negative effects of any detected cybersecurity events; (5) recover from cybersecurity events and restore normal operations and services; and (6) fulfill applicable regulatory reporting obligations.
- Cybersecurity policies and procedures. Implement and maintain written policies and procedures protecting the company’s information systems and nonpublic information that address the following areas: (a) information security, (b) data governance and classification, (c) asset inventory and device management, (d) access controls and identity management, (e) business continuity and disaster recovery planning and resources, (f) systems operations and availability concerns, (g) systems and network security, (h) systems and network monitoring, (i) systems and application development and quality assurance, (j) physical security and environmental controls, (k) customer data privacy, (l) vendor and third-party service provider management, (m) risk assessment and (n) incident response.
- Incident response plan. Establish a written incident response plan for cybersecurity events that addresses: (1) the internal processes for responding to a cybersecurity event; (2) the goals of the incident response plan; (3) the definition of clear roles, responsibilities and levels of decision-making authority; (4) external and internal communications and information sharing; (5) identification of requirements for the remediation of any identified weaknesses in information systems and associated controls; (6) documentation and reporting regarding cybersecurity events and related incident response activities; and (7) the evaluation and revision, as necessary, of the incident response plan following a cybersecurity event.
- Required notice of cybersecurity events. Notify NYDFS, no later than 72 hours from a determination that a cybersecurity event has occurred, if that event either (1) requires the company to provide notice to any government body, self-regulatory agency or any other supervisory body; or (2) has a reasonable likelihood of materially harming any material part of the normal operations of the company. An attack may constitute a reportable cybersecurity event even if the attack is not successful.
- Chief information security officer. Appoint a chief information security officer (CISO) or similar qualified individual responsible for the company’s cybersecurity program and policies.
- Limits on access privileges. Implement physical and technical safeguards limiting user access privileges to the company’s information systems that provide access to nonpublic information, and periodically review such access privileges.
- Cybersecurity personnel and training. Utilize qualified cybersecurity personnel (who may be employed by the company or a third-party service provider) to manage cybersecurity risks and to perform core cybersecurity functions; provide cybersecurity personnel with cybersecurity updates and training sufficient to address relevant cybersecurity risks; and verify that key cybersecurity personnel take steps to maintain current knowledge of changing cybersecurity threats and countermeasures.
- Risk assessment. Conduct and document a periodic risk assessment that considers the particular risks of the company’s business operations related to cybersecurity, nonpublic information collected or stored, information systems utilized, and the availability and effectiveness of controls to protect nonpublic information and information systems. The risk assessment must be carried out in accordance with written policies and procedures that include: (1) criteria for the evaluation and categorization of identified cybersecurity risks or threats; (2) criteria for the assessment of the confidentiality, integrity, security and availability of the company’s information systems and nonpublic information, including the adequacy of existing controls in the context of identified risks; and (3) requirements describing how identified risks will be mitigated or accepted based on the risk assessment and how the cybersecurity program will address the risks.
Although the cybersecurity regulations do not require the risk assessment to be completed until March 1, 2018, the risk assessment is a critical component of an effective cybersecurity program. As of March 1, 2018, a company’s cybersecurity program, policies, penetration testing and vulnerability assessments, access privileges, authentication controls and cybersecurity awareness training all must consider the results of this risk assessment, and the company must make periodic updates to each as appropriate. NYDFS recognized, however, that in some cases there may be updates and revisions to a company’s cybersecurity program that incorporate the results of a risk assessment conducted after the Aug. 28, 2017, deadline.
A limited exemption from some (but not all) requirements of the cybersecurity regulations is available to financial services companies with (1) fewer than 10 employees and independent contractors who are located in New York or are otherwise responsible for the company’s business in New York; (2) less than $5 million in gross annual revenue for each of the last three fiscal years from New York business operations; or (3) less than $10 million in year-end total assets. Companies that determine they qualify for this limited exemption should file a notice of exemption by Sept. 27, 2017.
Enforcement and Penalties
The cybersecurity regulations do not specifically detail any potential penalties or the impact of noncompliance. Instead, they “will be enforced by the superintendent [of NYDFS] pursuant to, and [are] not intended to limit, the superintendent’s authority under any applicable laws.” In its assessment of public comments prior to final promulgation of the cybersecurity regulations, NYDFS noted that although “[s]ome commenters offered suggestions for more-specific enforcement-related provisions … [t]he Department did not make any revisions in response to those suggestions because it believes that the current Enforcement section … is sufficient.”
Enforcement actions most likely would arise pursuant to the general authority of NYDFS under the New York Banking Law, which authorizes the superintendent of NYDFS to require a regulated entity to pay a penalty “for any violation of this chapter [or] any regulation promulgated thereunder” (which would include the cybersecurity regulations). Penalties pursuant to the New York Banking Law are authorized up to (a) $2,500 per day during which a violation continues, (b) $15,000 per day in the event of any reckless or unsound practice or pattern of misconduct, or (c) $75,000 per day in the event of a knowing and willful violation.
Future Compliance Deadlines
The cybersecurity rule provides an additional transitional period for financial service companies to achieve compliance with its remaining requirements, with rolling deadlines on Feb. 15, March 1 and Sept. 3, 2018; and March 1, 2019. Financial services companies subject to the cybersecurity regulations must take the following actions by the applicable compliance deadline:
- Submit an annual written statement to the superintendent of NYDFS certifying compliance with the cybersecurity rule for the prior calendar year.
- Require the company’s CISO to submit an annual written report regarding its cybersecurity program to the board of directors.
- Implement periodic penetration testing and vulnerability assessments.
- Institute the use of multifactor authentication, risk-based authentication, encryption and other information system controls.
- Implement and maintain a cybersecurity audit system.
- Implement written policies and procedures that address the cybersecurity practices of third-party service providers.