On December 28, 2016, the New York State Department of Financial Services (NYDFS) released a significantly revised version of its controversial, proposed cybersecurity rules, initially proposed in September of last year. As we noted in our Client Alert at that time, the rules as originally proposed would have created one of the most comprehensive and detailed cybersecurity standards in the country, and would have created significant compliance and implementation challenges. As a result, the original proposal generated significant industry outcry, calling into question, among other things, the original proposal’s workability. Like the original proposal, the revised proposal would apply to any person “operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under” New York banking, insurance and financial services law, including, for example, commercial banks, foreign banks with New York State-licensed offices, mortgage brokers and servicers, small-loan lenders, and money transmitters doing business in New York. The comment period regarding the revised proposal closes on January 27, 2017.
The revised proposal includes extensive changes that would narrow the proposal and make it less prescriptive in some respects. While the proposal has been significantly reworked, covered financial institutions still will face challenges in putting in place the type of comprehensive cybersecurity program and security controls that would be required if the proposal is finalized as revised. This will be particularly true for those covered financial institutions that historically have not been subject to scrutiny on their cyber practices or that do not have mature cybersecurity processes and controls in place.
Consistent with the original proposal, the revised proposal would require covered financial institutions to put in place controls designed to protect “nonpublic information” and the information systems that handle that “nonpublic information.” Nonetheless, the NYDFS has made changes that would narrow the scope of the requirements contemplated under the revised proposal:
- The definition of “nonpublic information” relating to customers has been narrowed to include only sensitive personal information, such as name in combination with Social Security number or driver’s license number and biometric data. The original proposal would have covered any information identifiable with a customer (e.g., name and email address) and, as a result, would have imposed significant burdens to ensure protection for all types of customer information, regardless of risk.
- The definition of “nonpublic information,” however, would continue to include certain “business-related information” that, if tampered with, or accessed, used or disclosed in an unauthorized manner, would “cause a material adverse impact” to the covered financial institution. This provision is significant. To date, cybersecurity requirements throughout the world have been focused on information relating to individuals. The process of identifying what business information could have a “material adverse impact” on a financial institution would undoubtedly require a unique analysis in light of its potential subjectivity.
- Under the revised proposal, a covered financial institution would be required to tailor its cybersecurity program and certain controls based on a “risk assessment” that it would be required to conduct “periodically.” While a covered financial institution’s written cybersecurity policy still would be required to address numerous security concepts and controls, the risk assessment would “inform the design of the cybersecurity program” generally. In this respect, the NYDFS’s revised proposal is more akin to the federal Gramm-Leach-Bliley Act (GLBA) approach to security that requires a financial institution to adopt a written information security program, conduct risk assessments and include specific controls in its program that are designed to safeguard against identified risks.
In addition, as we noted in our previous Client Alert, the prescriptive nature of the original proposal would have been unworkable in some respects, such as requiring a covered financial institution to encrypt all types of customer information at rest and in transit. With this revised proposal, many of the controls that would be required would be more flexible and risk-based, although questions remain about the specific expectations of the NYDFS.
- Instead of requiring that all “nonpublic information” be encrypted in transit and at rest (which would have been particularly challenging due to the breadth of the original definition of “nonpublic information”), under the revised proposal, a covered financial institution would be required, based on its risk assessment, to “implement controls, including encryption,” to protect “nonpublic information” in transit and at rest. The revised regulations, however, are not entirely clear as to whether encryption is a mandate and whether compensating controls can only be adopted as an alternative when encryption is “infeasible.” Nonetheless, by narrowing the definition of “nonpublic information” to focus on sensitive customer information, the encryption requirement would be more in line with other encryption mandates, such as those under Massachusetts and Nevada law. It should be noted again, however, that the regulations would apply not only to the protection of information about individuals, but also to sensitive business information. As a result, if adopted as proposed, the regulations would create the country’s first encryption requirement for sensitive business information that does not relate to individuals.
- The requirements relating to multifactor authentication have been narrowed and simplified. Based on its risk assessment, a covered financial institution would be required to “use effective controls, which may include” multifactor and risk-based authentication, to protect against unauthorized access to “nonpublic information” or information systems. Unlike the original proposal, the only express mandate for multifactor authentication would be for access to “internal networks from an external network” (unless the entity’s CISO has approved the use of equivalent or more secure controls). It is not clear, however, if the NYDFS contemplates this requirement applying to employee remote access, customer access to online accounts or both.
- The logging and audit trail requirements would be far less extensive than originally proposed, although the exact contours of the new requirements remain unclear. For example, a covered financial institution would be required to “securely maintain systems that, to the extent applicable and based on [the institution’s] risk assessment” are “designed to reconstruct material financial transactions sufficient to support normal operations and obligations” of the institution. Covered financial institutions also would be required to “include audit trails” designed to detect and respond to material cybersecurity events.
- The requirements relating to service providers have been modified in two noteworthy ways. First, the NYDFS has added a definition of “Third-Party Service Provider”: an entity that is not an affiliate of the entity and that provides services to the covered entity and that “maintains, processes or otherwise is permitted to access Nonpublic Information through its provision of services” to the covered financial institution (the latter aspect of the definition being based on the GLBA definition). Second, the revised proposal would provide that a covered financial institution’s policies and procedures for its service provider relationships should be risk-based. The parameters of these policies and procedures are largely unchanged, as they still contemplate required minimum cybersecurity practices for service providers and due diligence processes to evaluate such practices. Nonetheless, covered financial institutions would have greater flexibility to take a risk-based approach with respect to their service provider relationships. It should also be noted that the new proposal does not include several of the contractual provisions from the original proposal that may have been challenging to implement. Specifically, under the new proposal, a covered financial institution would not be required to have service provider contract provisions requiring credit monitoring for service provider breaches or representations and warranties that the service provider’s services are free of, for example, viruses and trap doors.
- The breach reporting requirements have been modified to eliminate the requirement to report any “cybersecurity event” to the NYDFS within 72 hours. The revised regulations, however, would require covered financial institutions to provide notice within 72 hours of any event where a covered financial institution is required to provide notice to any other government entity or where the event would “have a reasonable likelihood of materially harming any material part of the” financial institution’s “normal operation(s).” While narrower in scope, a 72-hour time period for reporting would be among the shortest time periods contemplated in law.
The NYDFS also added several new provisions, including a provision that would require that “[a]ll documentation and information relevant to the Covered Entity’s cybersecurity program . . . be made available to [the NYDFS] upon request.” This provision apparently is intended to reinforce examination authority on these issues. It should be noted that the NYDFS also has proposed adding a confidentiality provision affirming that information provided under these regulations would be exempt from disclosure consistent with the exemptions under existing applicable laws, such as New York banking law.
Finally, the NYDFS retained the board of directors annual certification of compliance provision in its original form. Nonetheless, the revised proposal would provide additional time to comply with many of the proposal’s requirements. If adopted as proposed, the revised regulations would become effective on March 1, 2017, with the first annual certification of compliance due on February 15, 2018. And, while it begins 180 days from the effective date, the phased compliance period extends as follows: (1) one year from the effective date for certain requirements, including penetration testing, the risk assessment, multifactor authentication and general cybersecurity awareness training; (2) 18 months from the effective date for certain requirements, including the audit trail, application security, data retention practices and monitoring authorized user activity to detect unauthorized access; and (3) two years for the requirements relating to third-party service providers. The extended compliance dates are a positive change. One potential issue, however, is how covered entities will reconcile the one-year compliance date for the risk assessment with the 180-day compliance date for obligations, such as the written cybersecurity program, that must be informed by the risk assessment.
The revised regulations are subject to a 30-day comment period that began on December 28, the date the proposal was published in the New York State Register. At the end of this comment period, the NYDFS is expected to publish final regulations. As the NYDFS noted in the press release accompanying the revised regulations, it will “focus its final review on any new comments that were not previously raised in the original comment process.” Nonetheless, in light of the likely implementation of these complex rules, financial institutions that would be covered should consider both their compliance position and whether to submit comments.