The New York Department of Financial Services (NYDFS) recently issued a new cybersecurity regulation and there is good reason to take note of it even if your company is not regulated by the NYDFS. The first reason is that application of the regulation is not limited to companies that fall under NYDFS jurisdiction (i.e, New York banks, financial service companies and insurance companies). In fact, third party vendors who perform services for companies covered by the regulation are also affected by some of the regulatory provisions.
Second, it’s safe to say that other local or state agencies, business organizations and/or regulators will follow the New York’s lead and issue rules and regulations that are patterned after or similar to the DFS regulation. For example, the National Association of Insurance Commissioners (NAIC) will be voting next month on the final draft of a data security model rule that has provisions similar to the NYDFS regulation. In fact, that rule provides for automatic compliance with its provisions where a company already complies with the NYDFS regulation.
Finally, certain provisions of the NYDFS cybersecurity regulation bear noting because they require companies to take some actions that are considered to be “best practices” when it comes to cybersecurity and data breaches (e.g., training employees on cybersecurity, encrypting non-public information, creating and maintaining a data breach incident response plan…) Thus, a compliant company will reap the benefits of those practices from a security, legal and insurance perspective even though it may not fall within NYDFS jurisdiction.
With that in mind, here are answers to some of the Frequently Asked Questions (FAQ) about the more notable provisions of the NYDFS regulation.
What is its Purpose?
The stated goal of the NYDFS regulation is two-fold, i.e., to define good security practices and to ensure that the board of directors is responsible for implementation. Involvement in cybersecurity matters at the board of director’s level is consistent with recent trends. Moreover, it should come as no surprise in light of the significant cybersecurity risk common to businesses of all sizes and in all industries.
When Does the Regulation Become Effective?
The regulation became effective on March 1, 2017. Compliance periods range from 180 days to 2 years.
To Whom Does the Regulation Apply?
The regulation applies to “[a]ny person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization” under
(a) New York banking law;
(b) New York insurance law; or
(c) New York financial services law.
Those governed by the regulation are known as “Covered Entities.”
What Does the Regulation Require of Covered Entities?
Covered Entities are required to maintain a cybersecurity program, based upon their own risk assessment that is designed to ensure the confidentiality, integrity and availability of their information systems.
The program must be designed to perform these core functions:
- identification and assessment of internal and external cybersecurity risks;
- use of defensive infrastructure and implementation of policies and procedures to protect information systems and non-public information from unauthorized access, use or other malicious acts;
- detection of, response to and recovery from cybersecurity events; and
- fulfillment of applicable regulatory reporting obligations.
What Must a Covered Entity’s Cybersecurity Policy Address?
A Covered Entity’s cybersecurity policy must address:
– information security;
– data governance and classification;
– access controls and identity management
– business continuity and disaster recovery planning and resources;
– systems operations and availability concerns;
– systems and network security;
– monitoring systems;
– application development and quality assurance;
– physical security;
– environmental controls;
– customer data privacy;
– vendor and third-party service provider management;
– risk assessment; and
– incident response.
What Other Things are Required of Covered Entities?
Designation of CISO
Covered Entities are required to designate a qualified individual who can perform the functions of a Chief Information Security Officer (CISO). The individual is not required to have the specific title of CISO or be dedicated exclusively to CISO activities. However, s/he is required to provide a written annual report to the board of directors or governing body of the Covered Entity.
The role of CISO may be fulfilled or performed by a third-party provider. However, when that occurs, the Covered Entity remains responsible for the program’s compliance with the regulation. Moreover, the Covered Entity must designate a senior member of its personnel to oversee the service provider.
Incident Response Plan
Covered Entities are required to establish a written incident response plan that:
- addresses internal processes for responding, the goals of the plan and external and internal communications and information sharing;
- clearly defines roles, responsibilities and levels of decision-making authority;
- identifies the requirements for remediation of noted weaknesses;
- addresses documentation and reporting regarding cybersecurity events; and
- provides for evaluation and revision of the plan as necessary following a cybersecurity event.
Covered Entities are required to have their employees go through cybersecurity training.
Covered Entities are required to report a data breach within seventy-two (72) hours.
Covered Entities must require multifactor authentication for remote access of internal servers.
Covered Entities are required to conduct periodic risk assessments of their information systems.
Covered Entities are required to conduct annual penetration testing of their information systems and bi-annual vulnerability assessments.
Covered Entities are required to encrypt non-public information.
Covered Entities are required to file an annual statement of compliance with the regulation.
How Does the Regulation Define Third Party Service Providers?
Third Party Service Providers are defined as entities that:
– are not an affiliate of the Covered Entity;
– provide services to the Covered Entity; and
– have access to nonpublic information through its provision of services to the Covered Entity.
What Is Required of Covered Entities with Respect to Third Party Service Providers?
Covered Entities must have policies and procedures that are designed to ensure the security of information systems and nonpublic information accessible to, or held by, third parties.
These policies and procedures must include:
- identification and risk assessment of third party service providers;
- minimum cybersecurity practices required to be met by such third parties;
- due diligence processes used to evaluate the adequacy of cybersecurity practices of third parties; and
- periodic assessment of third parties, based upon the risk they present, to assure the continued adequacy of their cybersecurity practices.
What Does the Regulation Require of Third Party Service Providers to Covered Entities?
Third Party Service Providers must enact and maintain policies and procedures consistent with the regulation’s requirements regarding the use of multi-factor authentication an encryption of non-public information and notice of a cybersecurity event that impacts the Covered Entity’s information system or non-public information.
The above FAQ’s illustrate that the NYDFS has taken and will continue to take the issue of cybersecurity in the entities it regulates quite seriously. Moreover, the department has effectively extended the requirement that companies engage in security best practices beyond just the organizations it regulates by requiring third party vendor to follow certain of its provisions. By so doing, the department appears to be seeking better and more expansive protection for the entities that it regulates. If the NAICs’ recent behavior is any indication, the NYDFS regulation will be just the beginning of regulatory action in the area of cybersecurity. With that being the case, all companies are well-advised to review their own cybersecurity practices and the practices of vendors with whom they share non-public information in light of the NYDFS cybersecurity regulation and the best practices in their industry.
The information presented here is for general educational purposes only. It does not constitute legal advice and does not create an attorney-client relationship.