Since the New York Department of Financial Services ("NYDFS") issued its Cybersecurity Requirements for Financial Services Companies regulation ("Cybersecurity Regulation") on March 1, 2017, organizational efforts to meet these regulatory requirements should be well underway. The Cybersecurity Regulation permits organizations to work to achieve compliance over a two year period and establishes transition periods and deadlines for the implementation of certain policies and controls.

After nearly a year, several deadlines for achieving certain significant milestones are approaching, including the deadline for submitting the first annual Certification of Compliance on February 15, 2018. This client alert provides a snapshot of the cybersecurity requirements an organization should already have in place under the Cybersecurity Regulation, and identifies those upcoming requirements that need to be satisfied to ensure future compliance. Given the robust, time-sensitive compliance obligations under the Cybersecurity Regulation, organizations can enhance their efforts to achieve compliance by having in place a comprehensive roadmap for meeting the requirements while also engaging the stakeholders necessary for implementation of the plan.

NYDFS Cybersecurity Regulation

As we described previously, the NYDFS promulgated the Cybersecurity Regulation in an effort to establish cybersecurity "regulatory minimum standards" to address the ever growing threat posed to information and financial systems by nation-states, terrorist organizations and independent criminal actor(s). The Cybersecurity Regulation requires non-exempt1 New York regulated banks, insurers and financial service companies (including New York based branches and agencies of financial institutions located around the world) ("Covered Entities") to implement certain administrative, technical and physical network security measures, internal compliance structures and risk management principles designed to protect consumer information, and financial services companies’ information systems. Organizations that fail to comply with the Cybersecurity Regulation could be subject to penalties and enforcement actions by the Superintendent of the NYDFS pursuant to existing law.

Achieving Compliance: The Two Year Plan

The Cybersecurity Regulation is a "one of a kind" piece of state legislation that imposes significant and comprehensive requirements on Covered Entities. Fortunately, the NYDFS saw fit to stagger those compliance obligations over a two year period into the following five stages to allow organizations sufficient time to transition their infrastructure, networks and personnel to meet the Cybersecurity Regulation requirements by March 1, 2019.

Stage 1 Implementation by August 28, 2017; Certification by February 15, 2018: Initial Compliance Period Measures

Under the Cybersecurity Regulation, Covered Entities are currently required to have the following policies, controls and measures in place:

Stage 1: Initial Compliance (Implementation: August 28, 2017; Certification: February 15, 2018)2
  • Cybersecurity program. Covered Entities must maintain cybersecurity programs (based on risk assessments) designed to protect the confidentiality, integrity, and availability of the Covered Entities’ information systems.
  • Written cybersecurity policy. Covered Entities must implement and maintain written cybersecurity policies that are approved by a senior officer or the board of directors (or committee) and that cover 14 identified cybersecurity policy areas.
  • Chief Information Security Officer (CISO). Covered Entities must designate a CISO, use qualified cybersecurity personnel, and provide regular updates and training to address relevant cybersecurity risks.
  • Limited user access privileges. Covered Entities must limit user access privileges to information systems with nonpublic information and periodically review these privileges.
  • Incident response plan. Covered Entities must implement written incident response plans designed to respond promptly to, and recover from, a cybersecurity event that materially affects their information systems or the continuing functionality of their businesses or operations.
  • Notices. Covered Entities must begin providing notice to NYDFS within 72 hours of a determination of a security incident that: (1) otherwise requires notice to another agency, government body, self-regulatory agency, or supervisory body, or (2) that has a reasonable likelihood of materially harming a material part of the Covered Entities’ normal operations.

The Cybersecurity Regulation requires the annual submission of a Certification of Compliance annually to the Superintendent of the NYDFS beginning on February 15, 2018, in a form similar to Appendix A to the Cybersecurity Regulation. For this initial Certification of Compliance, only certain requirements (set forth in Stage 1) need to be certified as full compliance under the Cybersecurity Regulation is not required to be achieved until March 1, 2019. By February 15, 2018, a Covered Entity should be able to certify that it has implemented a cybersecurity program and created a written cybersecurity policy designed to identify and mitigate risks to the Covered Entity’s information systems and nonpublic information, protect against unauthorized access and attacks, limit access to information systems and establish a cybersecurity governance framework that includes the designation of a CISO to oversee the implementation of the cybersecurity program. A Covered Entity should also have an incident response plan in place that sets out its incident response process, roles and responsibilities and incident reporting requirements.

Note that at this stage, the cybersecurity program need not be based on the risk assessment required under the Cybersecurity Regulation.[i] Rather, a Covered Entity should strongly consider conducting a limited risk assessment for use in developing its cybersecurity program, and then update the cybersecurity policy to reflect controls that are being implemented to address the identified risks and vulnerabilities from the risk assessment required under the Cybersecurity Regulation.

Importantly, a Covered Entity will need to maintain for five years all the information supporting the Certificate of Compliance, as well as documenting any "areas, systems or processes" have been identified as requiring "material improvement, updating or redesign," together with the remedial efforts planned and underway. All of the documentation should be retained in a way that it can be made available for inspection by the Superintendent of the NYDFS.

Finally, the Chairperson of the Board of Directors or a Senior Officer is required to sign the Certification of Compliance indicating that the Chairperson or Officer has reviewed all the applicable documents and data that are necessary to certify that the Covered Entity is in compliance with the Stage 1 requirements listed above. A Covered Entity may only submit a Certification of Compliance if the Covered Entity is in compliance with all applicable requirements under the Cybersecurity Regulation at the time of the certification. The Certification of Compliance should be filed electronically through the NYDFS Web Portal and on an annual basis thereafter.

Stage 2 – Implementation by March 1, 2018; Certification by February 15, 2019: One Year Transition Period

Submission of the Certification of Compliance only gets you partially down the road to full compliance. The Cybersecurity Regulation requires additional policies and controls to be put into place over the next year, beginning just eight days after the annual Certification of Compliance is due. The following Stage 2 requirements, due by March 1, 2018, are designed to address an organization’s assessment of risk and vulnerabilities, secure Board involvement in addressing these risks and vulnerabilities, and implement enterprise wide policies for creating awareness of cybersecurity issues and controls for access:

Stage 2: One-Year Transition Period (Implementation: March 1, 2018; Certification: February 15, 2019)4

  • Continued compliance with Stage 1 requirements.
  • First annual written report. CISOs must submit their first annual written reports on their Covered Entity’s cybersecurity program and material cybersecurity risks to their board of directors (or equivalent governing bodies, or senior officers responsible for the cybersecurity programs).
  • Penetration testing and vulnerability assessments. Covered Entities’ cybersecurity programs must include monitoring or periodic penetration testing (based on their risk assessments), designed to assess the effectiveness of their cybersecurity programs, as well as vulnerability assessments.

If the Covered Entity does not have continuous monitoring, it must conduct annual penetration testing and bi-annual vulnerability assessments (including systematic scans/reviews of information systems that are reasonably designed to identify publicly known cybersecurity vulnerabilities based on the Covered Entity’s Risk Assessment).

  • Risk assessment. Covered Entities must conduct documented risk assessments pursuant to written policies and procedures that inform the design of their cybersecurity programs. Risk assessments must consider—and be updated on a reasonable basis to address changes to—information systems, nonpublic information, or business operations. Risk assessments must also allow for revision of controls to respond to technological developments and evolving threats.
  • Multi-factor authentication. Covered Entities must use multi-factor authentication for any individual accessing internal networks from external networks (unless the CISO approves otherwise in writing based on the use of an equivalent or more secure access control). Generally, other controls (including multi-factor authentication) may be used to protect against unauthorized access to non-public information.
  • Regular cybersecurity awareness training. Covered Entities must provide regular training on cybersecurity awareness for all personnel. The training must be updated to reflect risks identified through the risk assessment.

The remaining requirements under the Cybersecurity Regulation follow quickly thereafter on September 3, 2018 and March 1, 2019, leaving only a year for achieving full compliance.

Stage 3 – Implementation by September 3, 2018; Certification by February 15, 2019: Eighteen-Month Transition Period

The measures required to be implemented by September 3, 2018 for Stage 3 primarily are proactive controls designed to reduce the potential attack surface of an organization’s information security system, and enable a thorough investigation and determination of potential causes of a security incident. These include the following:

Stage 3: 18-Month Transition Period (Implementation September 3, 2018; Certification February 15, 2019)5

  • Continued compliance with Stage 1 and 2 requirements.
  • Audit trails. Covered Entities must securely maintain their systems, and to the extent required by their risk assessments: (1) be designed to reconstruct material financial transactions for normal operations and obligations, and (2) include audit trails to detect and respond to cybersecurity events that have a reasonable likelihood of materially harming any material part of normal operations. Records must be maintained for five years for material financial transactions and three years for audit trails.
  • Application security. Cybersecurity programs must include written procedures, guidelines and standards designed to ensure the use of secure development practices for applications developed in-house, as well as procedures to evaluate the security of externally developed applications. Such procedures, standards, and guidelines must be periodically reviewed, assessed, and updated.
  • Limitations on data retention. Covered Entities must include policies and procedures to securely dispose of nonpublic information concerning individuals on a periodic basis when such information is no longer necessary for business operations or for a legitimate business purpose.
  • Monitoring. Covered Entities must implement risk-based policies, procedures and controls designed to monitor the activity of authorized users and detect the unauthorized access, tampering with, or use of nonpublic information by authorized users.
  • Encryption of nonpublic information. Covered Entities must implement (based on their risk assessments) controls, including encryption, to protect nonpublic information that they hold or transmit, while it is in transit over external networks and at rest.

Stage 4 – Implementation by March 1, 2019; Certification by February 15, 2020: Two Year Transition Period

The Stage 4 requirements are for the final transition period and target an organization’s policies and practices towards engaging and vetting third-party service providers, and controlling access to information systems by those parties. These include:

Stage 4: 2-Year Transition Period (Implementation: March 1, 2019; Certification: February 15, 2020)6

  • Continued compliance with Stage 1, 2 and 3 requirements.
  • Third-party service provider security policy. Covered Entities must implement written policies and procedures (based on their risk assessments) to ensure the security of information systems and nonpublic information that third-party service providers access or hold.
  • Guidelines concerning access controls. To the extent applicable, Covered Entities must have guidelines for related due diligence and/or contractual protections that address third-party service providers’ policies and procedures concerning access controls (including use of multi-factor authentication) and use of encryption.
  • Guidelines concerning notices and representations and warranties. Guidelines must also address notices that must be provided to the Covered Entities in the event of a cybersecurity event that occurs at third-party service providers as well as representations and warranties addressing third-party service providers’ cybersecurity policies and procedures that relate to Covered Entities’ information systems or nonpublic information.

Involve Key Stakeholders in Compliance Effort

The transition periods under the Cybersecurity Regulation outlined above are quickly expiring and, with just over a year remaining to achieve full compliance, organizations could find themselves unable to do so in a timely manner if they are not diligent. Indeed, some of the required controls and measures, such as the encryption of non-public information and evaluation of third-party cybersecurity practices and controls are subject to longer transition periods because those controls and measures take time to implement. Without adequate planning and preparation, an organization could find itself only partially compliant with the Cybersecurity Regulation, and unable to submit its annual Certification of Compliance – an omission that could draw the attention of the Superintendent of the NYDFS.

To avoid this pitfall, organizations should create a roadmap that identifies the requirements, related necessary controls and measures, timing and resource considerations, and the various roles and responsibilities of those tasked with implementing the program. Organizations should also marshal internal and external resources for use in completing the tasks set forth in the roadmap for compliance with the Cybersecurity Regulation.

In addition to involving executive management to make decisions and IT professionals to execute the technical plan, legal counsel (whether internal or external) often play key roles in moving an organization towards compliance. For example, counsel can lead or supplement efforts to identify, assess, and prioritize compliance obligations, interpret regulatory requirements, draft internal policies, negotiate vendor contracts, independently review and document risk determinations for adequacy and reasonableness, provide training and program development to employees, management and the board, and prepare for incident response and reporting requirements.

Ultimately, coupling the necessary stakeholders with an effective compliance implementation roadmap that covers all four stages and is maintained continuously will facilitate the adequate and timely implementation of the policies, measures and controls required under the Cybersecurity Regulation. As is the case with other risk management efforts, your organization’s successful implementation of the NYDFS Cybersecurity Regulation requires careful planning, sufficient resources, expertise, and senior-level attention. As is the hope with other risk management efforts, successful implementation of the regulation will avoid compliance and potential supervisory responses or worse, while also providing genuine improvements, enhanced resilience, and a stronger market presence.