If the New York State Department of Financial Services (“DFS”) has its way, come January 1, 2017, financial services companies that require a form of authorization to operate under the banking, insurance, or financial services laws (“Covered Entities”) will be required to comply with a new set of comprehensive cybersecurity regulations aimed at safeguarding information systems and nonpublic information.
The regulations require the development of a cybersecurity program designed to achieve core cybersecurity functions, including risk identification, use of defensive infrastructure, policies, and procedures, detection, response, recovery, and reporting obligation compliance. Covered Entities must also implement a written cybersecurity policy, addressing at least fourteen specified areas, that is to be reviewed and approved annually by the board of directors and a senior officer. The rules call for additional periodic activities, such as annual cybersecurity risk assessments and penetration testing, and quarterly vulnerability assessments. Affected firms will be required to regularly provide mandatory cybersecurity awareness training and employ sufficient cybersecurity staff to manage risks and perform core cybersecurity functions.
Covered Entities will be required to appoint a Chief Information Security Officer (“CISO”) to develop a bi-annual report, available to the DFS upon request, addressing the state of their cybersecurity programs. Commencing January 15, 2018, each Covered Entity will have to certify annually that it is in compliance with these rules and retain supporting records for five years. Firms will have 72 hours to notify DFS of certain cybersecurity events that have a reasonable likelihood of materially affecting normal operations or nonpublic information, and must also have a written incident response plan in place.
The DFS regulations require that Covered Entities take steps to encrypt nonpublic information being transmitted or held. If encryption is not immediately feasible, firms can use appropriate alternative controls for one year for “in transit” data, and five years for “at rest” data. Covered Entities will also have to implement authentication procedures for access to information systems and nonpublic information, and audit trail systems that track and maintain, for six years, financial transaction, accounting, and system access data. Further, firms must limit information system and nonpublic information access privileges solely to those who require such access to perform their responsibilities.
The regulations also call upon Covered Entities to implement written policies and procedures relating to the cybersecurity practices of third party providers. A “Third Party Information Security Policy” must detail this assessment, state minimum cybersecurity practices required to do business with the Covered Entity, and address due diligence processes. Firms are to establish “preferred provisions” to be utilized in agreements with third parties that hold the third parties contractually accountable for their cybersecurity practices.
Sheppard Mullin highlighted several significant ways in which these regulations would impact the financial industry: “The proposed regulations go significantly beyond federal requirements currently in effect for financial institutions, and impose a number of onerous new obligations, particularly in requiring annual cybersecurity assessments, notification of state authorities within 72 hours of a breach, and the designation of a Chief Information Security Officer. If adopted in their present form, the proposed regulations will impose significant new burdens on New York financial institutions.”
The proposed regulations will be open to a 45-day notice and public comment period following their September 28, 2016 publication in the New York State Register. If the proposal is adopted, Covered Entities will have 180 days from the effective date to comply with its requirements. There is a limited exemption for Covered Entities with (1) less than 1,000 customers in each of the last three years, (2) less than $5,000,000 in gross revenue in each of the last three years, and (3) less than $10,000,000 in year-end total assets.
The New York State Department of Financial Services press release regarding the proposed regulations can be found at the following address: http://www.dfs.ny.gov/about/press/pr1609131.htm
The proposed regulations can be found at the following address: http://www.dfs.ny.gov/legal/regulations/proposed/rp500t.pdf
Jeff Kern
+1 (212) 634-3075
jkern@sheppardmullin.com
Christopher Bosch
+1 (212) 653-8185
cbosch@sheppardmullin.com