Over the last few months, the New York Department of Financial Services (“DFS”) cybersecurity regulation has undergone multiple revisions. But late last week, DFS issued its final regulation, which will go into effect on March 1, 2017.
The final regulation does not differ materially from the draft issued on December 28, 2016, with a few exceptions. The final version clarifies that companies must disclose, within 72 hours, to the Secretary of DFS any cybersecurity event that either (1) must be disclosed to another government or self-regulating agency, or (2) has a “reasonable likelihood of materially harming any material part” of the normal operations of the company. And, as explained below, the final version broadens the “the limited exemption,” which relieves some companies from a number of regulatory requirements.
But the general structure of the regulation remains largely untouched from the prior version. The regulation is detailed and its scope is expansive, but its requirements can be broken down into five, core categories.
Corporate Governance: The DFS regulation requires engagement at the top of an organization. The regulation provides that senior management and boards of directors “must take” cyber security issues “seriously and be responsible for an organization’s cybersecurity program.” This obligation starts with the creation of a cybersecurity policy—the framework for protecting a company’s IT network and most sensitive information. Covered companies must also designate a Chief Information Security Officer (“CISO”), who must report to the board annually. The cybersecurity policy must be in place, and the CISO designated, by August 28, 2017.
Testing and Assessments: The regulation requires companies to conduct a number of cybersecurity tests and analyses. First and foremost, companies will have to perform a “risk assessment.” The risk assessment must “evaluate and categorize risks,” evaluate the integrity and confidentiality of the company’s information systems and non-public information, and develop a process to mitigate any identified risks. Companies must also conduct annual penetration testing and bi-annual vulnerability testing. Each of these tests and assessments must be conducted by March 1, 2018.
Day-to-Day Requirements: The regulation’s day-to-day and technical requirements are substantial and detailed. Among others, companies must develop access controls for their information systems, ensure the physical security of computer systems, encrypt or protect personally identifiable information, perform reviews of in-house and externally created applications, train employees, and build an audit trail system. The timeline to ensure compliance with these rules ranges from one year to eighteen months.
Third-Party Rules: The new regulation not only contains extensive requirements for covered entities, but also regulates third-party vendors with access to an institution’s IT network or non-public information. Covered banks and insurers are required to develop and implement written policies and procedures to ensure the security of IT systems or non-public information that can be accessed by their vendors. At a minimum, these policies must identify the risks from third-party access, impose minimum cybersecurity practices for vendors, and create a due-diligence process for evaluating those vendors. Covered entities will have two years to satisfy these extensive requirements.
Notification Requirements: Finally, the new regulation includes a mandatory notification process for any material cybersecurity event. Within 72 hours, companies must report to the DFS a cybersecurity event that has a “reasonable likelihood” of “materially harming” the company or that must be reported to another government or self-regulating agency. In addition, companies—through a certification from either the board or a senior officer—must annually attest to their compliance with the DFS regulation.
The final regulation also provides some relief from the regulation’s strict requirements for a number of entities including:
- Companies that earn less than $5 million in gross revenue in New York (in each of the past three years), that have less than $10 million in year-end total assets from all operations, or that have fewer than ten employees in New York (including independent contractors) are exempt from a number of the regulation’s provisions.
- Companies that do not have information systems and access to nonpublic information are, likewise, exempt from a number of the DFS requirements.
- Captive insurance companies—both pure and group captive insurers—are also exempt from many of the DFS requirements.
- And, subject to certain limitations, the regulation exempts a small number of entities from the regulation, including Rule 125 certified and accredited reinsurers.