Last fall, in response to the “ever-growing threat” posed to information and financial systems, the New York State Department of Financial Services (DFS) proposed cybersecurity regulations that were designed to “promote the protection of customer information and information technology systems of regulated entities.” On December 28, 2016, DFS issued a press release effectively delaying the enforcement date to March 1, 2017. The postponement was the result of a notice and comment period allowing the effected industries to provide their comments on the hardships of abiding by the initial regulations. (The final version is codified under N.Y.C.R.R. Part 500)(the Rules). The Rules apply to “Covered Entities” which are defined to mean any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law of New York. The final version provides greater flexibility and discretion for businesses regulated by DFS and allow for Covered Entities to tailor a cybersecurity program that fits their business needs.
The following is a summary of the significant changes that were adopted in the Rules that highlight the corporate responsibility, including Board involvement, for developing and maintaining a cybersecurity program and the reporting requirements associated with such a program:
- The final regulations incorporated significant flexibility with respect to the requirements of a Covered Entity’s cybersecurity program. It is now permitted to adopt a cybersecurity program maintained by an “Affiliate”—a person under its control—instead of establishing its own cybersecurity program, so long as the Affiliate’s program meets the requirements of the rules.
- A qualified individual must now be designated to oversee the implementation and enforcement of the cybersecurity program. This person must now be either a chief information security officer (CISO), or a comparable position. The Covered Entity may instead utilize a “Third-Party Service Provider” or an Affiliate to carry out these responsibilities, so long as someone in a senior position at the Covered Entity will supervise them. However, the Covered Entity itself must have sufficient, trained personnel to meet and execute the requirements of the cybersecurity program.
- Annual reports must be made to the Covered Entity’s Board of Directors, which includes information regarding the cybersecurity program and policy, any existing cyber threats, the state of the Information Systems, and any Cybersecurity Events that have occurred in the preceding year.
- The sections regarding penetration testing and vulnerability assessment were changed to require that Covered Entities conduct annual penetration testing—a change from quarterly testing—based on identified risk. In addition, Covered Entities are now required to conduct biannual vulnerability assessments. Further, monitoring and testing of their cybersecurity program must now be done “periodically,” as opposed to annually. This is consistent with the new requirement that Covered Entities set up written policies and procedures regarding risk assessments, and conduct risk assessments periodically instead of annually.
- Covered Entities are required to maintain a reduced amount of “audit trail systems.” (down from six to three) based upon the Covered Entity’s risk assessment. Systems are to be designed to detect “‘Cybersecurity Events’ that have a ‘reasonable likelihood of materially harming any material part of the normal operations of the Covered Entity.” A Covered Entity must retain audit trail system records for five years.
- The Rules also set forth extensive requirements regarding the role of Third Party Service Providers. Covered Entities must now implement written policies and procedures to ensure that system security and the security of Nonpublic Information is protected. The Rules outline the types of issues to be covered in these policies and procedures, including guidelines for due diligence, encryption use, and notice requirements in case of a Cybersecurity Event.
- Covered Entities are given some flexibility in reporting a “Cybersecurity Event” which means an event that would “have a reasonable likelihood of materially harming any part of the normal operation(s) of the Covered Entity[,]” and that it is the type of event that requires notice to a governmental body. Covered Entities must notify DFS immediately, but no later than 72 hours, after a finding that an event has occurred.
The Rules promulgated by DFS serve as an important reminder that senior management must continue to take cybersecurity issues seriously and implement the appropriate programs for their organizations. Ensuring compliance the Rules will help minimize liability exposures that can arise from data breaches. It remains to be seen whether other states will follow New York’s lead with its own regulations. Colorado, for example, will holding a hearing on May 2, 2017, on its proposed rule requiring entities with state securities licenses to conduct an annual assessment of their cybersecurity risks. Unlike the New York regulations, the proposed Colorado rule would apply to financial advisers and broker-dealers.