The New York Department of Financial Services announced on Dec. 28 a revised regulation that will require all institutions subject to NYDFS supervision to establish and maintain a cybersecurity program meeting "certain regulatory minimum standards."
All financial institutions under NYDFS jurisdiction—including banks, state-licensed lenders, mortgage industry companies, insurance companies, and money services businesses—should carefully assess whether existing security measures will need to be enhanced and what additional steps may need to be taken to satisfy the requirements in the proposed rules. Third-party service providers to these institutions should also prepare for compliance requirements that will likely be imposed downstream from these covered entities.
The revised regulation will become final and effective on March 1, 2017 (a delay of two months from the originally proposed Jan. 1, 2017, effective date). The first annual certification will now be due by Feb. 15, 2018.
The revised regulation also establishes tiered transition periods for covered entities to comply with the new requirements [Section numbers refer to the regulation, found here.]:
• Six months: All provisions not specified in the following transition periods.
• One year: CISO (chief information security officer) reporting to the board of directors (500.04(b)), penetration testing and vulnerability assessments (500.05), risk assessments (500.09), multi-factor authentication (500.12), and cybersecurity awareness training (500.14(a)(2)).
• 8 months: Audit trails (500.06), application security (500.08), data retention (500.13), policies and procedures to monitor the activity of authorized users (500.14(a)(1)), and encryption (500.15).
• Two years: Third-party service provider security policy (500.11).
Many of the requirements set forth in the initial version of the proposed regulation, released on Sept. 13, 2016 (summarized in an earlier Ballard Spahr alert available here), remain unchanged. NYDFS made some significant concessions, however, in response to more than 150 public comments that were submitted.
NYDFS released an "Assessment of Public Comments" with the revised regulation, providing some insight into the changes made in response to the public comments.
Some of the most pertinent revisions include:
• Small business exemption: Creation of a "limited" small business exemption for covered entities that have less than 10 employees, $5 million in gross annual revenue, or $10 million in year-end total assets.
• Risk-based assessments: Clarification that the revised regulation was intended to be linked to a covered entity's risk assessment, such as the encryption and multi-factor authentication mandates.
However, NYDFS cautions that a risk assessment should not be used to justify a cost-benefit analysis of acceptable losses related to cybersecurity risks. The term "risk assessment" has been added as a new defined term in the revised regulation. The revised regulation requires that risk assessments be performed "periodically," instead of annually (as originally proposed).
• Audit trails: Reduction in the level of prescriptive requirements related to maintaining audit trails, including reducing the covered period from six to five years and focusing on material cybersecurity events.
• Nonpublic information: Significant narrowing of the definition to conform more closely to the definition in the New York breach notification statute. The revised regulation provides an exemption for any covered entity that does not directly or indirectly control, own, access, generate, receive, or possess any nonpublic information.
• Chief Information Security Officer (CISO): Clarification that so long as a covered entity has designated a qualified individual to perform the functions of a CISO, no individual is required to have this specific title or be dedicated exclusively to CISO activities. The designated individual now must provide a written, more narrowly focused, annual (not bi-annual) cybersecurity report to the board of directors or governing body.
• Third-party service providers: Amendment of the proposed regulation to clarify that any requirements on third party service providers should be based on the covered entity's risk assessment. Thus, covered entities will not be required to audit the systems of all third-party service providers.
The language requiring certain "preferred provisions" to be added to vendor contracts has been removed and replaced with a requirement to establish relevant guidelines and/or contractual protections. The term "third-party service provider" has been added as a new defined term in the revised regulation.
• Affiliates: Authorization of covered entities to satisfy the requirements of the revised regulation if covered by the cybersecurity program of an affiliate, including the affiliate's CISO.
• Cybersecurity event reporting: Retention of the 72-hour reporting timeframe for notifying NYDFS of a "cybersecurity event." Addition of a "materiality" qualifier to those provisions related to responding to and reporting of cybersecurity events.
The revised notification requirement applies only to:
• Cybersecurity events of which notice is required to be provided to any government body, self-regulatory agency, or any other supervisory body, and
• Cybersecurity events that have a reasonable likelihood of materially harming any material part of the normal operations of the covered entity.
Importantly, the revised regulation includes new language addressing the confidentiality of any reporting submitted to NYDFS about cybersecurity events.
Public comments may be filed on the revised regulation for 30 days from the department’s Dec. 28, 2016, publication date. NYDFS will consider as part of its final review any new comments that were not previously raised during the original comment period, which ended on Nov. 14, 2016. As NYDFS has proven receptive to making changes based on public comments, financial institutions should carefully consider whether to file comments during the next 30 days.
DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.
© Ballard Spahr LLP 2016. Reproduced with permission
About the authors
Alan S. Kaplinsky, partner, leads Ballard Spahr LLP Consumer Financial Services Group. Kaplinsky devotes his practice exclusively to counseling financial institutions on bank regulatory and transactional matters, particularly consumer financial services law.
Kevin Leitão, of counsel, is a seasoned attorney and business executive who advises clients on a wide-range of regulatory and transactional matters. His legal advice is informed by 15 years of in-house counsel and senior compliance officer experience working in regulated industries.
Edward J. McAndrew, partner, is a counselor, investigator, and trial lawyer who helps clients navigate life in the digital world. He is co-leader of the firm's Privacy and Data Security Group.
Kim Phan, of counsel, advises clients on privacy and data security law in areas including the Fair Credit Reporting Act, the Fair Debt Collection Practices Act, the Gramm-Leach-Bliley Act, the Telephone Consumer Protection Act, and other privacy and data security statutes.