On September 28, 2016, certain proposed regulations were published in the New York State Register regarding cybersecurity applicable to companies that operate under banking, insurance, or financial services laws. The proposed regulations will be open to a 45-day notice and public comment period following their September 28, 2016 publication. If the proposal is adopted, affected companies will have 180 days from the effective date to comply with its requirements. There is a limited exemption applicable to companies with (1) less than 1,000 customers in each of the last three years, (2) less than $5,000,000 in gross revenue in each of the last three years, and (3) less than $10,000,000 in year-end total assets. However, for all other affected companies, these regulations may require significant changes to their current cybersecurity programs.
The regulations require the development of a cybersecurity program designed to achieve “core cybersecurity functions,” including:
• Identification of cyber risks;
• Implementation of policies and procedures to protect unauthorized access/use or other malicious acts;
• Detection of cybersecurity events;
• Responsiveness to identified cybersecurity events to mitigate any negative events; and
• Recovery from cybersecurity events and restoration of normal operations and services.
Appointment of Chief Information Security Officer: Affected companies will be required to appoint a Chief Information Security Officer (“CISO”) responsible for overseeing and implementing the institution’s cybersecurity program and enforcing its cybersecurity policy. The CISO must also develop a bi-annual report, available to the DFS upon request, addressing the state of their cybersecurity programs and specifically to:
• Assess the confidentiality, integrity and availability of information systems;
• Detail exceptions to cybersecurity policies and procedures;
• Identify cyber risks;
• Assess the effectiveness of the cybersecurity program;
• Propose steps to remediate any inadequacies identified; and
• Include a summary of all material cybersecurity events that affected the regulated institution during the time period addressed by the report.
Written Cybersecurity Policy: Affected companies would also be required to implement a written cybersecurity policy, addressing at least fourteen specified areas, that is to be reviewed and approved annually by the board of directors and a senior officer or if there is no board of directors, then it must be approved by a senior officer. These areas include:
• Information security;
• Data governance and classification;
• Access controls and identity management;
• Business continuity and disaster recovery planning and resources;
• Capacity and performance planning;
• Systems operations and availability concerns;
• Systems and network security;
• Systems and network monitoring;
• Systems and application development and quality assurance;
• Physical security and environmental controls;
• Customer data privacy;
• Vendor and third-party service provider management;
• Risk assessment; and
• Incident response.
Encryption of Nonpublic Information: The regulations require that companies take steps to encrypt nonpublic information being transmitted or held. If encryption is not immediately feasible, firms can use appropriate alternative controls for one year for “in transit” data, and five years for “at rest” data. Companies will also have to implement authentication procedures for access to information systems and nonpublic information, and audit trail systems that track and maintain, for six years, financial transaction, accounting, and system access data. Further, companies must limit information system and nonpublic information access privileges solely to those who require such access to perform their responsibilities.
Third Party Information Security Policy: In addition to the above-described written policies, companies will be required to implement written policies and procedures relating to the cybersecurity practices of third party providers. A “Third Party Information Security Policy” must detail this assessment, state minimum cybersecurity practices required to do business with the company, and address due diligence processes. Companies are to establish “preferred provisions” to be utilized in agreements with third parties that hold the third parties contractually accountable for their cybersecurity practices.
Additional Requirements: Commencing January 15, 2018, each company will have to certify annually that it is in compliance with these rules and retain supporting records for five years. The rules call for additional periodic activities, such as annual cybersecurity risk assessments and penetration testing, and quarterly vulnerability assessments. Affected companies would further be required to regularly provide mandatory cybersecurity awareness training and employ sufficient cybersecurity staff to manage risks and perform core cybersecurity functions. Companies will have 72 hours to notify the NY State Department of Financial Services of certain cybersecurity events, such as a breach in security, that have a reasonable likelihood of materially affecting normal operations or nonpublic information, and must also have a written incident response plan in place.
The proposed regulations go significantly beyond federal requirements currently in effect in these areas, and impose quite a few new obligations, particularly in requiring annual cybersecurity assessments, notification of state authorities within 72 hours of a breach, and the designation of a Chief Information Security Officer. Affected companies should consult with their legal counsel and security experts to determine what updates and changes they will be required to make under the new law.