New York Financial Cybersecurity Regulations Take Effect This Month

On March 1, the New York Department of Financial Services’ (DFS) cybersecurity regulations took effect. Although the regulations only cover banks, insurance companies, and other financial services companies that are regulated by DFS, the new rules could affect companies that provide services to DFS-regulated organizations.

Among the key requirements of the new rules for regulated financial companies:

• Conduct regular risk assessments to understand the company’s key cybersecurity threats and vulnerabilities;

• Based on these risk assessments, develop a comprehensive cybersecurity program, which, among other things, helps the company identify key risks to the security and integrity of nonpublic information, protect against unauthorized access, detect and respond to incidents (such as data breaches), and recover from incidents;

• Maintain a comprehensive set of cybersecurity policies, approved by a senior officer or board of directors, that address:
• Information security;
• Data governance and classification;
• Asset inventory and device management;
• Access controls and identity management;
• Business continuity and disaster recovery planning and resources;
• Systems operations and availability concerns;
• Systems and network security;
• Systems and network monitoring;
• Systems and application development and quality assurance;
• Physical security and environmental controls;
• Customer data privacy;
• Vendor and third party service provider management
• Risk assessment; and
• Incident response;

• Designate a qualified Chief Information Security Officer (employed either directly by the company or by an affiliate or service provider);

• Continuously monitor effectiveness of the cybersecurity program, or conduct annual penetration testing and bi-annual vulnerability assessments;

• Maintain “audit trails” that allow companies to restore services after an incident;

• Use effective access controls, which may include multi-factor authentication, to access nonpublic information or systems;

• Regularly train employees on cybersecurity awareness;

• Encrypt nonpublic information, unless encryption is determined to be infeasible (in which case, the Chief Information Security Officer may consider alternative controls); and

• Report cybersecurity incidents to DFS “as promptly as possible” but no later than 72 hours after determining that an incident has occurred.

Companies must begin complying with many of the above requirements on August 28, 2017, though they will have more time to comply with certain rules. Small businesses are exempt from some of the requirements.

Impact on Service Providers

Although the above requirements only apply to DFS-regulated financial companies, the new regulation will impact many firms that provide services to those regulated companies. The new regulations require each covered financial company to develop cybersecurity policies and procedures for third-party service providers that maintain, process, or are permitted to access the company’s nonpublic information. At minimum, the policies and procedures must address the following:

• Assessing the risks of third-party service providers;

• Requiring minimum cybersecurity practices;

• Conducting due diligence on the service providers’ cybersecurity; and

• Periodically assessing the third-party service providers’ cybersecurity risks and the adequacy of their security practices.

DFS requires that regulated financial companies develop guidelines for due diligence or contractual requirements that address service providers’ access controls, use of encryption, notification of the company after a cybersecurity incident, and representations and warranties regarding the provider’s cybersecurity policies and procedures.

The DFS regulations likely will cause regulated financial companies to impose increasingly stringent contractual cybersecurity requirements on service providers that handle nonpublic information.

Impact of the DFS regulations

DFS is not the first government entity to impose cybersecurity requirements on U.S. companies. About a dozen states already have enacted laws that require companies that process to adopt “reasonable” data security protections for their residents’ personal information, and some sector-specific federal laws, including the Gramm-Leach-Bliley Act (for financial institutions) and the Health Insurance Portability and Accountability Act (for healthcare providers and related entities) also require specific safeguards. Moreover, companies with inadequate data security face potential enforcement actions by the Federal Trade Commission and state attorneys general, and litigation from individuals whose data was compromised.

The DFS regulations are noteworthy because they are among the most detailed and rigorous. Although the regulations allow companies to develop cybersecurity programs and policies based on the amount of risk, the regulations also address specific technical and policy issues such as multi-factor authentication, a strong presumption in favor of encryption, and the designation of a Chief Information Security Officer.

Financial companies that are regulated by DFS – and service providers that might handle those companies’ nonpublic information – should evaluate all of their cybersecurity policies and practices over the next few months to ensure compliance by August 28.

Even if a company is neither regulated by DFS nor a service provider for a regulated company, the DFS regulations indicate the types of cybersecurity policies and procedures that other regulators are likely to expect when assessing whether a company adequately safeguarded its information and systems.

Note: This Bulletin is not intended as legal advice. Readers should seek professional legal counseling before acting on the information it contains.