Morgan Lewis submits second comment letter on the proposed rules.
The New York State Department of Financial Services (DFS) is expected soon to issue “first-in-the-nation” cybersecurity regulations that will apply to life insurance companies, financial institutions, financial services companies, and other DFS-regulated entities. The cybersecurity regulations initially were to become effective on January 1, 2017, but DFS delayed the effective date on December 28, 2016 and simultaneously issued a revised proposal (Proposed Rules) with a current proposed effective date of March 1, 2017—with transition periods for some requirements (read our January 2017 LawFlash for more detail).
The DFS cybersecurity framework would require banks, insurers, and other DFS-regulated financial services companies to adhere to stringent cybersecurity requirements mandating firms to test their systems, establish plans to respond to cybersecurity events, and annually certify compliance with the cybersecurity requirements, among other mandates.
Comments on the Proposed Rules were due by January 27. Given the potential impact on firms, Morgan Lewis submitted two comment letters recommending modifications to the Proposed Rules, as summarized below.
Morgan Lewis Comment Letters on Proposed Rules
In our comment letters, we urged the New York DFS to reconsider several of its proposals. The DFS had first revised the Proposed Rules after receiving comments and suggestions from various trade groups and interested parties. In some instances, the revised rules incorporate comments made in our first comment letter. Specifically, the revised rules make the following modifications:
- The Proposed Rules now permit a Covered Entity’s Chief Information Security Officer (CISO) and security personnel to be employed by an affiliate, which would increase a Covered Entity’s organizational flexibility in complying with the CISO requirement.
- Covered Entities now have the flexibility to perform a risk assessment on which many of the other requirements are based, thereby limiting certain requirements.
- Based on the risk assessment described above, Covered Entities may only need to use either multi-factor or risk-based authentication (except where persons may access a Covered Entity’s internal network from an external network, in which case multi-factor authentication would still be required).
- The DFS has modified the cybersecurity breach notification rules to eliminate the requirement to notify DFS when a Covered Entity identifies any material risk of imminent harm. Under the revised Proposed Rules, notification is instead required when a Cybersecurity Event has “a reasonable likelihood of materially harming any material part of the normal operations of the Covered Entity.”
- The “Small Covered Entity Exemption” has been revised to add an exemption for Covered Entities with fewer than 10 employees (including independent contractors) and eliminating the exemption for entities with less than 1,000 customers in each of the last three calendar years.
In our second comment letter, we recommended that the New York DFS make the following additional revisions to the Proposed Rules:
- Introduce a harmonized framework that is consistent with the flexible, best-practice approach utilized by federal regulations. Instead of imposing new rigid rules, the DFS should adopt principles that enable Covered Entities’ cybersecurity programs to develop over time, which will better promote effective cybersecurity with lower costs of compliance.
- Assure that any reporting requirement be tied to meaningful circumstances connected with the cyber incident and conform to any existing reporting requirements. As drafted, the proposed reporting requirement will discourage firms from reporting cyber incidents to law enforcement and also discourage the reporting of cyber threats. In addition, the reporting trigger is too broad and will lead to mandating and over-reporting of insignificant incidents.
- Clarify Proposed Rule 500.18 (titled “Confidentiality”), which is ambiguous and subject to multiple interpretations.
- Provide that documents related to a risk assessment or other DFS-required records subject to attorney-client privilege but provided to the DFS remain subject to the attorney-client privilege under New York law and will not be used for purposes other than the exercise of the DFS’s regulatory and supervisory duties and responsibilities.
- Eliminate the annual compliance certification. The certification requirement confirms the notion that the Proposed Rules are a “check-the-box” regime that fails to foster meaningful compliance. Because compliance with the Proposed Rules would be required without the certification, the certification requirement does not add value and should be eliminated.
- Allow a financial institution to rely on a substituted compliance program. Although the Proposed Rules permit a Covered Entity to adopt an affiliate’s cybersecurity program—to the extent such program complies with the DFS requirements—the DFS should permit a broader substituted compliance program when a Covered Entity is already subject to cybersecurity oversight by a federal or state regulatory agency.
- Confirm that an individual designated with the title of CISO is not required, but rather that one or more individuals may fulfill the CISO functions enumerated in the Proposed Rules.
- Expand the proposed exemption for small Covered Entities by exempting small Covered Entities from the following requirements—access privileges, third party information security policy, limitations on data retention, and the “Notices to Superintendent – certification” requirement.
The Proposed Rules currently are projected to become effective on March 1, 2017, with a 180-day grace period as well as several transition periods for certain requirements. For example, Covered Entities will be required to submit the certification of compliance as of February 15, 2018, and will have
- one year from the effective date to comply with the CISO reporting requirement, penetration testing and vulnerability assessment, risk assessment, multi-factor authentication, and cybersecurity awareness training;
- 18 months to comply with audit trail, application security, limitations on data retention, monitoring procedures, and encryption of nonpublic information; and
- two years to comply with the third party service provider security policy.
It is unlikely that the DFS will make material substantive changes to the Proposed Rules when they are adopted in final form, although adjustments to the effective date and compliance period are possible. Therefore, Covered Entities should begin taking the steps necessary to comply with the fundamental requirements that the DFS likely will adopt in some fashion.