New York State's Financial Services Cybersecurity Regulation

The Regulation has far-reaching application across the financial services industry, broadly defining a “Covered Entity” as any “Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law, or the Financial Services Law.”

Covered Entities will be required to annually report to the Superintendent and provide a Certification of Compliance beginning Feb. 15, 2018. Affected entities will have 180 days after the effective date to comply with most provisions, and two years to fully implement others.

What Does the Regulation Require? A Lot.

Broadly speaking, the Regulation requires Covered Entities to establish and maintain a formal cybersecurity program. This requires the creation of a written cybersecurity policy. It requires the designation of a Chief Information Security Officer (CISO), the retention of cybersecurity personnel, and internal training of all personnel. The Regulation requires the implementation of various IT-based infrastructure and audit such as: penetration testing, vulnerability assessments, audit trail, restricted access privileges, application security, multi-factor authentication and encryption. Covered Entities must also develop written policies regarding information security guidelines and a written incident response plan. Finally, the Regulation requires certain notices to be provided to the DFS Superintendent regarding cybersecurity events and routine compliance.

The Details

The following provides additional detail on certain of the specific key provisions.

Nonpublic Information: Covered Entities must establish and maintain a Cybersecurity Program, the main intent of which is to protect against the unauthorized access to, or dissemination of, “Nonpublic Information.” Although somewhat narrowed in response to the industry comments, the Regulation defines Nonpublic Information quite broadly as:

1. business-related information of a Covered Entity the tampering with which, or unauthorized disclosure, access or use of which, would cause a material adverse impact to the Covered Entity's business, operations or security;
2. any information concerning an individual which because of name, number, personal mark, or other identifier can be used to identify such individual, in combination with any one or more of the following data elements: (i) social security number, (ii) drivers' license number or non-driver identification card number, (iii) account number, credit or debit card number, (iv) any security code, access code or password that would permit access to an individual's financial account, or (v) biometric records; and
3. any information (except age or gender) created by or derived from a health care provider or an individual and that relates to (i) the past, present or future physical, mental or behavioral health or condition of any individual or a member of the individual's family, (ii) the provision of health care to any individual, or (iii) payment for the provision of health care to any individual.

Nonpublic Information does not include “Publicly Available Information,” which includes any information that a Covered Entity has a reasonable basis to believe is lawfully made available to the general public from federal, state or local government record, widely distributed media, or disclosures to the general public that are required to be made by federal, state or local law. A Covered Entity has such a “reasonable basis to believe” that information is lawfully made available to the public when is has taken steps to determine that the information is of “the type that is available to the general public” and whether an individual can direct that the “information not be made available to the general public, and if so, that such individual has not done so.” This definition implies a duty of due diligence on a Covered Entity to make a reasonable determination that the information in question is truly publicly available.

Cybersecurity Program: The requisite Cybersecurity Program must be based on the Risk Assessment required by the Regulation, and designed to ensure the confidentiality, integrity and availability of information systems by performing the following functions: 1) identify internal and external cyber risks; 2) use defensive infrastructure and the implementation of policies and procedures; 3) detect, respond to and recover from cybersecurity events; and 4) fulfill regulatory reporting requirements.

Cybersecurity Policy: Covered Entities will be required to create a written policy setting forth policies and procedures for the protection of nonpublic information addressing, at a minimum, the following:

1. information security;
2. data governance and classification;
3. asset inventory and device management
4. access controls and identity management;
5. business continuity and disaster recovery planning and resources;
6. systems operations and availability concerns;
7. systems and network security;
8. systems and network monitoring;
9. systems and application development and quality assurance;
10. physical security and environmental controls;
11. customer data privacy;
12. vendor and third-party service provider management;
13. risk assessment; and
14. incident response.

The cybersecurity policy is a very important document, and is subject to the approval of a senior officer or the board of directors or equivalent governing body.

Risk Assessment: Section 500.09 of the Regulation calls for Covered Entities to perform individualized assessments of information systems “sufficient to inform the design of the cybersecurity program,” which “shall be updated as reasonably necessary to address changes” to the entity's information systems. This modification allows Covered Entities to adopt an individualized, flexible approach to compliance.

CISO Requirement: Covered Entities are required to designate a Chief Information Security Officer (CISO), who is responsible for overseeing and implementing the Covered Entity's cybersecurity program and enforcing its cybersecurity policy. The CISO must provide an annual report to the Covered Entity's board of directors and regarding the cybersecurity program and material cybersecurity risks.

Penetration Testing: The Regulation mandates penetration testing and vulnerability assessments, developed in accordance with the Covered Entity's Risk Assessment. Monitoring should be done on a continuous basis, with periodic penetration testing and vulnerability assessments. In the absence of continuous monitoring, penetration testing must be performed at least annually, with quarterly vulnerability testing.

Audit Trail: Audit trail systems will now be required. Fortunately for Covered Entities, the revised Regulation has significantly changed this “audit trail” requirement. While, the original proposal had relatively onerous requirements to track and maintain data that allowed for the “complete and accurate reconstruction of all financial transactions and accounting necessary” to detect and respond to a Cybersecurity Event, the current draft of the Regulation only requires an audit trail to reconstruct “material” financial transactions “sufficient to support normal operations and obligations” of the Covered Entity. Further, audit trails are only required for Cybersecurity Events that have a “reasonable likelihood of materially harming any material part of the normal operations of the Covered Entity.” Record-keeping obligations have been reduced from six years to five.

Encryption Requirement: In response to strong industry feedback, the current Regulation has narrowed the requirement that Covered Entities encrypt all their information. While the prior version required all Nonpublic Information held or transmitted by a Covered Entity to be encrypted, the Regulation is now much more flexible, requiring Covered Entities to implement controls (which may include encryption) appropriate to their individualized Risk Assessments.

Third-Party Service Providers: The Regulation also Covered Entities' affects dealings with third parties, requiring implementation of written policies and procedures designed to ensure the security of systems and nonpublic information that are accessible to, or held by, third parties. These policies and procedures must also establish preferred provisions to be included in contracts with third party service providers.

Incident Response Plan: The Regulation mandates the creation of a written incident response plan designed to promptly respond to, and recover from, any cybersecurity event affecting the confidentiality, integrity, or availability of the covered entity's information systems or the continuing functionality of any aspect of the business, and must address

Reporting Obligations: The Regulations impose several notice and reporting requirements on covered entities. Reporting obligations to the DFA Superintendent are less onerous in the revised Regulation compared to its initial form. Formerly, Covered Entities were required to inform the Superintendent within 72 hours of any “Cybersecurity Event” that has a reasonable likelihood of materially affecting the normal operation of the Covered Entity or affecting Nonpublic Information. In its revised form, the Regulation only requires reporting to the Superintendent of Cybersecurity Events where notice is required to “to any government body, self-regulatory agency or any other supervisory body” and those that “have a reasonable likelihood of materially harming” rather than affecting, the “normal operations of the Covered Entity.”

The Regulation is currently scheduled to go into effect on March 1, 2017. All Covered Entities, and Third-Party Service Providers, should review and redesign any existing cybersecurity programs to bring them into compliance, ideally with the assistance of experienced counsel.

*****
Elizabeth (Lisa) Vandesteeg is a partner and Kathryn Nadro is an associate at Sugar Felsenthal Grais & Hammer. A member of this newsletter's Board of Editors, Vandesteeg focuses her practice on bankruptcy, business divorce, partner and shareholder disputes, and privacy and data security issues. Nadro concentrates on commercial litigation as well as employment and labor matters. They can be reached at [email protected] and [email protected], respectively.

New York is poised to become the first state in the nation with comprehensive cybersecurity regulation and reporting requirements applicable to the entire financial services industry, with only very limited exemptions. 23 NYCRR 500 (the Regulation) will require banks, insurance companies, and other financial institutions regulated by the New York State Department of Financial Services (DFS) to establish and maintain a cybersecurity program designed to protect consumers and the stability of New York's financial services industry. The Regulation was designed to promote the protection of customer information as well as the underlying information technology systems of regulated entities in light of the ever-increasing threat of cyber attacks. It requires assessment of specific risk profile and design of program addressing risks, for which senior management is responsible including annual certification of compliance.

Originally intended to go into effect on Jan. 1, 2017, the Regulation received substantial industry comment and push-back. In response, DFS released a revised draft of the Regulation which was open to an additional 30-day comment period, extending the Regulation's effective date to March 1, 2017.

To Whom Does the Regulation Apply?

The Regulation has far-reaching application across the financial services industry, broadly defining a “Covered Entity” as any “Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law, or the Financial Services Law.”

Covered Entities will be required to annually report to the Superintendent and provide a Certification of Compliance beginning Feb. 15, 2018. Affected entities will have 180 days after the effective date to comply with most provisions, and two years to fully implement others.

What Does the Regulation Require? A Lot.

Broadly speaking, the Regulation requires Covered Entities to establish and maintain a formal cybersecurity program. This requires the creation of a written cybersecurity policy. It requires the designation of a Chief Information Security Officer (CISO), the retention of cybersecurity personnel, and internal training of all personnel. The Regulation requires the implementation of various IT-based infrastructure and audit such as: penetration testing, vulnerability assessments, audit trail, restricted access privileges, application security, multi-factor authentication and encryption. Covered Entities must also develop written policies regarding information security guidelines and a written incident response plan. Finally, the Regulation requires certain notices to be provided to the DFS Superintendent regarding cybersecurity events and routine compliance.

The Details

The following provides additional detail on certain of the specific key provisions.

Nonpublic Information: Covered Entities must establish and maintain a Cybersecurity Program, the main intent of which is to protect against the unauthorized access to, or dissemination of, “Nonpublic Information.” Although somewhat narrowed in response to the industry comments, the Regulation defines Nonpublic Information quite broadly as:

1. business-related information of a Covered Entity the tampering with which, or unauthorized disclosure, access or use of which, would cause a material adverse impact to the Covered Entity's business, operations or security;
2. any information concerning an individual which because of name, number, personal mark, or other identifier can be used to identify such individual, in combination with any one or more of the following data elements: (i) social security number, (ii) drivers' license number or non-driver identification card number, (iii) account number, credit or debit card number, (iv) any security code, access code or password that would permit access to an individual's financial account, or (v) biometric records; and
3. any information (except age or gender) created by or derived from a health care provider or an individual and that relates to (i) the past, present or future physical, mental or behavioral health or condition of any individual or a member of the individual's family, (ii) the provision of health care to any individual, or (iii) payment for the provision of health care to any individual.

Nonpublic Information does not include “Publicly Available Information,” which includes any information that a Covered Entity has a reasonable basis to believe is lawfully made available to the general public from federal, state or local government record, widely distributed media, or disclosures to the general public that are required to be made by federal, state or local law. A Covered Entity has such a “reasonable basis to believe” that information is lawfully made available to the public when is has taken steps to determine that the information is of “the type that is available to the general public” and whether an individual can direct that the “information not be made available to the general public, and if so, that such individual has not done so.” This definition implies a duty of due diligence on a Covered Entity to make a reasonable determination that the information in question is truly publicly available.

Cybersecurity Program: The requisite Cybersecurity Program must be based on the Risk Assessment required by the Regulation, and designed to ensure the confidentiality, integrity and availability of information systems by performing the following functions: 1) identify internal and external cyber risks; 2) use defensive infrastructure and the implementation of policies and procedures; 3) detect, respond to and recover from cybersecurity events; and 4) fulfill regulatory reporting requirements.

Cybersecurity Policy: Covered Entities will be required to create a written policy setting forth policies and procedures for the protection of nonpublic information addressing, at a minimum, the following:

1. information security;
2. data governance and classification;
3. asset inventory and device management
4. access controls and identity management;
5. business continuity and disaster recovery planning and resources;
6. systems operations and availability concerns;
7. systems and network security;
8. systems and network monitoring;
9. systems and application development and quality assurance;
10. physical security and environmental controls;
11. customer data privacy;
12. vendor and third-party service provider management;
13. risk assessment; and
14. incident response.

The cybersecurity policy is a very important document, and is subject to the approval of a senior officer or the board of directors or equivalent governing body.

Risk Assessment: Section 500.09 of the Regulation calls for Covered Entities to perform individualized assessments of information systems “sufficient to inform the design of the cybersecurity program,” which “shall be updated as reasonably necessary to address changes” to the entity's information systems. This modification allows Covered Entities to adopt an individualized, flexible approach to compliance.

CISO Requirement: Covered Entities are required to designate a Chief Information Security Officer (CISO), who is responsible for overseeing and implementing the Covered Entity's cybersecurity program and enforcing its cybersecurity policy. The CISO must provide an annual report to the Covered Entity's board of directors and regarding the cybersecurity program and material cybersecurity risks.

Penetration Testing: The Regulation mandates penetration testing and vulnerability assessments, developed in accordance with the Covered Entity's Risk Assessment. Monitoring should be done on a continuous basis, with periodic penetration testing and vulnerability assessments. In the absence of continuous monitoring, penetration testing must be performed at least annually, with quarterly vulnerability testing.

Audit Trail: Audit trail systems will now be required. Fortunately for Covered Entities, the revised Regulation has significantly changed this “audit trail” requirement. While, the original proposal had relatively onerous requirements to track and maintain data that allowed for the “complete and accurate reconstruction of all financial transactions and accounting necessary” to detect and respond to a Cybersecurity Event, the current draft of the Regulation only requires an audit trail to reconstruct “material” financial transactions “sufficient to support normal operations and obligations” of the Covered Entity. Further, audit trails are only required for Cybersecurity Events that have a “reasonable likelihood of materially harming any material part of the normal operations of the Covered Entity.” Record-keeping obligations have been reduced from six years to five.

Encryption Requirement: In response to strong industry feedback, the current Regulation has narrowed the requirement that Covered Entities encrypt all their information. While the prior version required all Nonpublic Information held or transmitted by a Covered Entity to be encrypted, the Regulation is now much more flexible, requiring Covered Entities to implement controls (which may include encryption) appropriate to their individualized Risk Assessments.

Third-Party Service Providers: The Regulation also Covered Entities' affects dealings with third parties, requiring implementation of written policies and procedures designed to ensure the security of systems and nonpublic information that are accessible to, or held by, third parties. These policies and procedures must also establish preferred provisions to be included in contracts with third party service providers.

Incident Response Plan: The Regulation mandates the creation of a written incident response plan designed to promptly respond to, and recover from, any cybersecurity event affecting the confidentiality, integrity, or availability of the covered entity's information systems or the continuing functionality of any aspect of the business, and must address

Reporting Obligations: The Regulations impose several notice and reporting requirements on covered entities. Reporting obligations to the DFA Superintendent are less onerous in the revised Regulation compared to its initial form. Formerly, Covered Entities were required to inform the Superintendent within 72 hours of any “Cybersecurity Event” that has a reasonable likelihood of materially affecting the normal operation of the Covered Entity or affecting Nonpublic Information. In its revised form, the Regulation only requires reporting to the Superintendent of Cybersecurity Events where notice is required to “to any government body, self-regulatory agency or any other supervisory body” and those that “have a reasonable likelihood of materially harming” rather than affecting, the “normal operations of the Covered Entity.”

The Regulation is currently scheduled to go into effect on March 1, 2017. All Covered Entities, and Third-Party Service Providers, should review and redesign any existing cybersecurity programs to bring them into compliance, ideally with the assistance of experienced counsel.

*****
Elizabeth (Lisa) Vandesteeg is a partner and Kathryn Nadro is an associate at Sugar Felsenthal Grais & Hammer. A member of this newsletter's Board of Editors, Vandesteeg focuses her practice on bankruptcy, business divorce, partner and shareholder disputes, and privacy and data security issues. Nadro concentrates on commercial litigation as well as employment and labor matters. They can be reached at [email protected] and [email protected], respectively.