Skip to main content

New York's Revised Cybersecurity Regulation

In September 2016, the New York Department of Financial Services (DFS) proposed the first statewide cybersecurity regulation of its kind. The proposed regulation mandated that insurance companies, banks, and other financial services institutions regulated by the DFS  (Covered Entities) establish and maintain a cybersecurity program designed to protect consumers and ensure the safety and soundness of New York State’s financial services industry. The proposed regulation was scheduled to become effective on January 1, 2017.
After reviewing more than 150 comments during the 45-day notice and public comment period, on December 28, 2016, the DFS published a revised proposed cybersecurity regulation.  The revised proposed regulation is now scheduled to become effective on March 1, 2017.  Covered Entities will have until September 1, 2017, to become compliant with the revised regulation, and until February 15, 2018, to submit a certificate of compliance to the DFS.
Despite negative comments from trade groups and companies within the impacted insurance, banking, and financial institution communities, the DFS left the requirements contained in its originally proposed regulation largely intact.  In general, under the proposed revision, Covered Entities will be allowed more flexibility to customize their cybersecurity plans to the particular weaknesses that are reflected in the risk assessments that the regulation will require the Covered Entities to perform. The department also eased the reporting requirements as to when “cybersecurity events” occur.  While still requiring Covered Entities to notify DFS within 72 hours, the mandate will now apply only to incidents that Covered Entities conclude have a reasonable likelihood of compromising confidential information.
The definition of Nonpublic Information (“NPI”) has been tightened in the revised regulations. Previously defined as “any information” collected in connection with a financial product, the revised regulation includes the more commonly used and more specific definition of “[a]ny information concerning an individual which because of name, number, personal mark, or other identifier can be used to identify such individual, in combination with any one or more of the following data elements:
  • Social security number;
  • Drivers’ license number or non-driver identification card number;
  • Account number, credit or debit card number;
  • Any security code, access code or password that would permit access to an individual’s financial account; or
  • Biometric records.”
The revised regulation also no longer includes as NPI “any information that can be used to distinguish or trace an individual’s identity.”
The originally proposed regulation required Covered Entities to establish third-party cybersecurity policies and procedures that treated all third parties the same in terms of the risk they presented. The revised regulation allows Covered Entities to base the terms of their cybersecurity policies and procedures that relate to third-party vendors on the specific third-party risks identified in the entity’s overall Risk Assessment.  Also, instead of requiring Covered Entities to impose specific contract terms on all vendors, Covered Entities will only be required to establish “relevant guidelines” that address the third-party’s cybersecurity policies and procedures.
Despite these changes, it is clear that third parties that handle or have access to a Covered Entity’s data — including law firms and legal service providers (e.g., legal process outsourcers) — will likely be affected by the regulation. As a result, they will need to develop their own cybersecurity policies that comply with the revised regulation to continue providing services to Covered Entities.  For example, as reported in the recent Wall Street Journal article entitled “Banks Try to Thwart Hackers, Take Aim at Vendors,” one bank executive was already quoted as saying, “[w]hatever controls we provide internally, we have to make sure the third party also follows.”
The revised regulation does not require that an individual within each company have the specific title of Chief Information Security Officer (“CISO”), only that a qualified individual be designated as responsible for overseeing the cybersecurity program and enforcing the cybersecurity policy. The regulation clarifies that the CISO may be employed by the covered entity, an affiliate, or a third-party service provider.
The definition of those entities that are exempt from the regulation was modified and will be defined as follows:
  • Fewer than 10 employees, including independent contractors, or
  • Less than $5,000,000 in gross annual revenue in each of the last three fiscal years, or
  • Less than $10,000,000 in year-end total assets, calculated in accordance with generally accepted accounting principles, including assets of all affiliates.
Additional revisions to the regulation include the following:
  • Allows for the use of third-party service providers (e.g., an outsourced CISO) to maintain and manage a company’s cybersecurity program;
  • Adds “device management” to the list of areas that need to be addressed by a cybersecurity policy;
  • The definition of “Penetration Testing” was made more specific by adding the bolded language below to the definition – “a test methodology in which assessors attempt to circumvent or defeat the security features of an Information System by attempting unauthorized penetration of databases or controls from outside or inside the Covered Entity’s Information Systems.”;
  • Audit trail records retention requirements were decreased from 6 years to 5 years; and
  • Limitations on user access privileges were relaxed and no longer is access solely limited to those individuals who require such access to such systems in order to perform their responsibilities.
The regulation covers any individual or entity operating under a license, registration, charter, certificate permit, accreditation or similar authorization under New York state banking, insurance or financial services laws, with the above exception for small entities.
As the regulation is mandatory, Covered Entities should immediately undertake a review of their cybersecurity policies and programs to ensure they are in compliance when the regulation goes into effect on March 1, 2017.  Further, third parties that provide services to Covered Entities should also ensure they are compliant, as failure to do so could jeopardize their ability to provide services to Covered Entities.
The full text of the regulation can be viewed here.

Comments

Post a Comment

Popular posts from this blog

Five Days Without Email - DLA Piper Cyber Attack

“Following the widely reported malware incident that occurred on Tuesday, 27 June, we have brought our email safely back online, and continue to bring other systems online in a secure manner,” DLA Piper said. “We have seen no evidence that client data was taken or that there was a breach of confidentiality of that data. Our investigation is ongoing and, as always, protecting client information remains our critical priority.” http://www.jdjournal.com/2017/07/04/dla-piper-email-system-restored-after-cyber-attack/ Would it be a breach of attorney-client privilege to admit that confidential client information had been taken?
Post a Comment
Read more

And Then There Were Two: New Mexico Set to Become 48th State to Enact Data Breach Notification Law

The New Mexico Legislature passed the ‘ Data Breach Notification Act ’ (the Act) on March 15. Governor Susana Martinez has 20 days from the date the Act was passed to sign it into law. If enacted, the Act would require a person, other than a person who is subject to the  Health Insurance Portability and Accountability Act of 1996  or the  Gramm-Leach-Bliley Act , that “owns or maintains” records containing a New Mexico resident’s personal identifying information (PII) to notify the resident if his or her PII is “reasonably believed” to have been subject to a security breach. In most cases, notification is required within 45 days. Under the Act, PII is defined as an individual’s last name and first name or first initial in combination with one or more specified data elements, when the data elements are not rendered unreadable or unusable through encryption, redaction, or another means. The five specified data elements or categories of data elements in the Act are (i) so...
Post a Comment
Read more