A covered entity will need to arrange for someone to perform the CISO function, dedicate resources to conduct periodic risk assessments, develop and implement policies and procedures, and retain appropriate personnel and conduct personnel training.
If your organization is regulated by the New York Department of Financial Services (NYDFS), March 1, 2017 is an important date to mark on your calendar. On that day, absent further modification, the NYDFS’s modified Cybersecurity Regulations (23 NYCRR § 500 to 500.23) will take effect and will impose substantial cybersecurity obligations on banks, insurers and financial institutions that operate in the state of New York. 23 NYCRR § 500.01(c). The reach of these regulations, however, is not just limited to traditional financial services entities. As currently proposed, the regulations also apply to colleges, universities, and religious and philanthropic entities that are permitted under N.Y. Insurance Law § 1110 to issue charitable annuities. Id. If your organization is regulated by NYDFS, maintains or has access to personal information, and (i) has 10 or more employees (including independent contractors), (ii) more than $5 million in gross annual revenue in each of the last three fiscal years, and (iii) has more than $10 million in year-end total assets, it will be required to comply with the Cybersecurity Regulations. Id. at § 500.19.
The Cybersecurity Regulations, originally scheduled to take effect on January 1, 2017, were modified by NYDFS after substantial comments from the banking, insurance and financial services industries.1 The modified regulations implement minimum cybersecurity standards in a phased approach, with some standards requiring compliance within 180 days of March 1, 2017, and other standards having a compliance grace period of up to two years. Id. at § 500.22. A summary of six of the primary components of the regulations follows.
Written Policies and Procedures
The Cybersecurity Regulations require a covered entity2 to develop and implement written cybersecurity policies and procedures based on risk assessments that the regulations require to be performed on a periodic basis. 23 NYCRR § 500.03. These policies and procedures must address 14 specific areas outlined in section 500.03 of the regulations:
Data governance and classification
Asset inventory and device management
Access controls and identity management
Business continuity and disaster recovery planning and resources
Systems operations and availability concerns
Systems and network security
Systems and network monitoring
Systems and application development and quality assurance
Physical security and environmental controls
Customer data privacy
Vendor and third-party service provider management
In addition to the 14 specific areas, the regulations also require written cybersecurity policies to govern the development and security for internal and external applications utilized by the entity (§ 500.08), ensure security by third-party service providers (§ 500.11), address the secure and timely disposal of data (§ 500.13), conduct periodic risk assessments (§ 500.09), monitor information systems to identify unauthorized users, and outline an incident response plan (§ 500.16). A covered entity must establish a cybersecurity policy and procedures and an incident response plan by August 28, 2017; create a policy to conduct periodic assessments by March 1, 2018; create policies for the security of applications and the disposal of data by September 1, 2018; and create a policy to ensure security by third-party service providers by March 1, 2019.
The Cybersecurity Regulations require a covered entity to maintain a cybersecurity program designed to “protect the confidentiality, integrity and availability” of information systems. Id. at § 500.02. Like the cybersecurity policies and procedures obligation, the cybersecurity program obligation is based on a risk assessment that identifies risks and threats to the covered entity. Id. Under the Cybersecurity Regulations, a cybersecurity program needs to address six core cybersecurity functions:
Internal and external cybersecurity risks
Policies and infrastructure to protect information systems
Detection of cybersecurity events3
Response and mitigation of cybersecurity events
Recovery and restoration after a cybersecurity event
Compliance with applicable reporting obligations.
A covered entity must create and maintain a cybersecurity program in compliance with these standards by August 28, 2017.
Chief Information Security Officer and Training
The Cybersecurity Regulations require a covered entity to have a designated and qualified individual who is responsible for overseeing and implementing the cybersecurity program and enforcing cybersecurity policies and procedures. 23 NYCRR § 500.04. This individual, commonly known as a chief information security officer (CISO), may be hired directly by the covered entity or may be provided through an affiliate or third-party service provider. Id. The CISO is directly responsible for the entity’s compliance with the regulations and must report at least annually to the board of directors on the status of the cybersecurity program and material cybersecurity risks and threats to the covered entity. Id. In addition to the CISO, a covered entity is required to conduct periodic training of all employees to address cybersecurity awareness. Id. at § 500.14(a)(2). A covered entity must have a CISO in place by August 28, 2017 and provide cybersecurity awareness training to employees by March 1, 2018.
Risk Assessments and Monitoring
The Cybersecurity Regulations require a covered entity to assess the effectiveness of its cybersecurity program and maintain an audit trail designed to detect and respond to a cybersecurity event. The requirements to assess effectiveness focus on conducting a periodic risk assessment and/or vulnerability testing and updating policies and procedures to address identified risks and threats. Id. at §§ 500.05, 500.09. The audit trail obligation requires a covered entity to maintain a record of system activity both by system and application processes and by user activity of systems and applications to detect unusual activity. Id. at § 500.06. A covered entity must conduct periodic risk assessments and vulnerability testing by March 1, 2018 and be in compliance with audit trail obligations by September 1, 2018.
Mandatory Security Measures
The Cybersecurity Regulations require a covered entity to utilize its risk assessment to establish mandatory security measures in the form of multifactor authentication and controls, including encryption, to protect nonpublic information at rest and in transit. Under the regulations, multifactor authentication or its equivalent must be utilized for individuals accessing a covered entity’s internal network from an external network. 23 NYCRR § 500.12. It requires an individual seeking access to verify his or her identity through two of the following factors: (1) knowledge factors, such as a password; (2) possession factors, such as a token or text message; or (3) inherence factors, such as a biometric characteristic. Id. Consistent with its risk assessment, a covered entity must implement multifactor authentication or its equivalent by March 1, 2018 and utilize encryption or its equivalent by September 1, 2018.
Notification Obligations and Compliance Certification
The Cybersecurity Regulations require a covered entity to notify the superintendent of NYDFS within 72 hours of determining that the entity has suffered a cybersecurity event that has a reasonable likelihood of materially harming any material part of the normal operations of the entity. Id. at § 500.17. Because other state and federal regulators typically require notice of an event within a reasonable time, this 72-hour notice requirement is more burdensome and could be interpreted to require notice before all the facts are known and the root cause identified. Compliance with these standards must be achieved by August 28, 2017.
The public comment period for the modified Cybersecurity Regulations is set to expire on January 27, 2017. Assuming the proposed Cybersecurity Regulations remain in place, most large banks, insurance companies and financial services entities are either already in compliance or will easily come into compliance with the regulations. It goes without saying that all entities should ensure they have appropriate documentation establishing their compliance.
Smaller NYDFS-regulated entities, however, likely do not have cybersecurity programs at the levels of sophistication required by NYDFS, and, in short order, they will need to arrange for someone to perform the CISO function, dedicate the resources to conduct periodic risk assessments, develop and implement policies and procedures, and retain appropriate personnel and conduct personnel training. Only time will tell what burden the Cybersecurity Regulations will place on smaller entities and whether these regulations will make the cost of doing business prohibitive.
One area of the regulations where entities (large and small) typically lack focus is vendor management. Under the Cybersecurity Regulations, a covered entity must ensure that third-party service providers adhere to the Cybersecurity Regulations. All entities should review their contract process and, if necessary, amend contracts to comply with the new Cybersecurity Regulations.
Regardless of the size of a covered entity, the 72-hour requirement to provide notice of a cybersecurity event to the superintendent could be problematic and will require NYDFS-regulated entities to have forensic consultants and counsel on speed-dial. This notice requirement also could result in premature releases of information before all the facts and causation are determined and may lead to multiple follow-up notices.
Finally, problems will arise when other states seek to jump on the bandwagon and adopt their own regulations. Entities that have operations in various states will then be forced to comply with a patchwork of cybersecurity standards that is similar to the data breach notification laws being enforced in 47 states. This will result in uncertainty and increased costs of doing business.
Pepper Hamilton’s Privacy, Security and Data Protection Practice Group has the skill and practical experience to help financial services entities develop and implement a comprehensive cybersecurity program and respond to and provide appropriate notice when a cybersecurity event occurs.
1 Commentators claimed that the original regulations took a one-size-fits-all approach to cybersecurity, were impractical and failed to recognize unique circumstances of particular organizations, including smaller organizations with limited resources. The modified regulations seek to address the public comments by, among other things, focusing the standards on the results of an entity’s periodic risk assessment.
2 A covered entity is any entity required to comply with the Cybersecurity Regulations and is defined as “[a]ny Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.” 23 NYCRR § 500.01(c).
3 A cybersecurity event is defined as “any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an Information System or information stored on such Information System.” 23 NYCRR § 500.02(d).
The material in this publication was created as of the date set forth above and is based on laws, court decisions, administrative rulings and congressional materials that existed at that time, and should not be construed as legal advice or legal opinions on specific facts. The information in this publication is not intended to create, and the transmission and receipt of it does not constitute, a lawyer-client relationship.