Last fall, in response to the “ever-growing threat” posed to information and financial systems, the New York State Department of Financial Services (“DFS”) proposed cybersecurity regulations that were designed to “promote the protection of customer information and information technology systems of regulated entities” Regulated “Covered Entities” were defined to mean any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law of New York. The regulations went into effect March 1, 2017, after a delay in enforcement as the result of comments from the affected industries during a notice and comment period as to the hardships that would have been imposed by the initial regulations. The final version provides greater flexibility and discretion for businesses regulated by DFS and allow for Covered Entities to tailor a cybersecurity program that fits their business needs, and includes transition periods (180 days for most provisions, longer for others). The final version is codified under N.Y.C.R.R. Part 500 (“the Regulation”). The details are discussed further below.
Other states are now starting to follow New York’s lead in mandating at least some degree of cybersecurity assessment for entities subject to state regulatory oversight. Colorado, for example, scheduled a hearing for May 2, 2017, on proposed regulations targeted at financial investment advisors. While these are already subject to federal regulation as the Securities and Exchange Commission requires financial advisers it regulates to have written cyber security policies in effect, the proposed state regulations would impose additional obligations, including an annual assessment of cybersecurity exposures. While the New York regulation would apply to financial advisors if they are licensed by the state, for example as an insurance broker or agent, it is not targeted at them.
The New York Regulations, and the proposed Colorado regulations, demonstrate that for financial institutions, cyber security compliance means satisfying state requirements as well as federal ones that may also apply, and the state ones may be more explicit and specific. This, of course is in addition to the general cybersecurity requirements that already exist in many states for protection of personally identifiable information of individuals, although they often are more general than the new regulations that state agencies overseeing financial institutions, such as the NY DFS, are putting into place.
Overview of New York Regulation
As New York is in the forefront of state regulation of cybersecurity of financial institutions, its provisions are likely to be a model for other states too. They serve as an important reminder that senior management must keep a close eye both externally at state and federal emerging requirements for cybersecurity, and internally on the implementation of appropriate and compliant programs for their organizations.
The following is a summary of the significant provisions adopted in the final New York Regulations that highlight corporate responsibility, including Board involvement, for developing and maintaining a cybersecurity program, and the reporting requirements associated with such a program:
- The final regulations incorporated significant flexibility with respect to the requirements of a Covered Entity’s cybersecurity program. It is now permitted to adopt a cybersecurity program maintained by an “Affiliate”—a person under its control—instead of establishing its own cybersecurity program, so long as the Affiliate’s program meets the requirements of the Regulations.
- A qualified individual must now be designated to act as the Chief Information Security Officer (“CISO”) to oversee the implementation and enforcement of the cybersecurity program. The Covered Entity may utilize a person employed by a Third-Party Service Provider or an Affiliate to carry out these responsibilities, so long as someone in a senior position at the Covered Entity will supervise them. However, the Covered Entity itself must have sufficient, trained personnel to meet and execute the requirements of the cybersecurity program.
- Annual reports must be made by the CISO to the Covered Entity’s Board of Directors, which includes information regarding the cybersecurity program and policy, any existing cyber threats, the state of the Information Systems, and any Cybersecurity Events that have occurred in the preceding year.
- The sections regarding penetration testing and vulnerability assessment were changed to require that Covered Entities conduct annual penetration testing—a change from quarterly testing—based on identified risk. In addition, Covered Entities are now required to conduct biannual vulnerability assessments. Further, monitoring and testing of their cybersecurity program must now be done “periodically,” as opposed to annually. This is consistent with the new requirement that Covered Entities set up written policies and procedures regarding risk assessments, and conduct risk assessments periodically instead of annually.
- Covered Entities are required to maintain a reduced amount of “audit trail systems” (down from six to three) based upon the Covered Entity’s risk assessment. Systems are to be designed to detect “‘Cybersecurity Events’ that have a ‘reasonable likelihood of materially harming any material part of the normal operations of the Covered Entity.” A Covered Entity must retain audit trail system records for five years.
- The Regulation also sets forth extensive requirements regarding the role of Third Party Service Providers. Covered Entities must now implement written policies and procedures to ensure that system security and the security of Nonpublic Information is protected. The Regulation outlines the types of issues to be covered in these policies and procedures, including guidelines for due diligence, encryption use, and notice requirements in case of a Cybersecurity Event.
- Covered Entities are given some flexibility in reporting a “Cybersecurity Event” which means an event that would “have a reasonable likelihood of materially harming any part of the normal operation(s) of the Covered Entity[,]” and that it is the type of event that requires notice to a governmental body. Covered Entities must notify DFS immediately, but no later than 72 hours, after a finding that an event has occurred.
There are numerous other fairly specific requirements for procedures and reporting, and thus the Regulation should be reviewed carefully by those entities subject to it.
New York, and now Colorado, are probably just the first in the series of states who will be considering and adopting their own scheme of cybersecurity regulation, with federal agencies overseeing various industries also increasingly adding cyber security requirements to their oversight of the entities they regulate. The challenge of compliance with a patchwork of regulations continues, with the most restrictive generally becoming the default standard to be met, as compliance with that will generally be compliance with those that are more general and less rigorous.
* The authors would like to acknowledge the contribution of Danya Ahmed, associate in the Sedgwick LLP New York Office, to this article.