As we discussed in a prior blog post, in September 2016, the New York Department of Financial Services (DFS) proposed the first statewide cybersecurity regulation of its kind. The proposed regulation mandated that insurance companies, banks, and other financial services institutions regulated by the DFS (Covered Entities) establish and maintain a cybersecurity program designed to protect consumers and ensure the safety and soundness of New York State’s financial services industry. The proposed regulation was scheduled to become effective on January 1, 2017.
After reviewing more than 150 comments during the 45-day notice and public comment period, on December 28, 2016, the DFS published a revised proposed cybersecurity regulation. The revised proposed regulation is now scheduled to become effective on March 1, 2017. Covered Entities will have until September 1, 2017, to become compliant with the revised regulation, and until February 15, 2018, to submit a certificate of compliance to the DFS.
Despite negative comments from trade groups and companies within the impacted insurance, banking, and financial institution communities, the DFS left the requirements contained in its originally proposed regulation largely intact. In general, under the proposed revision, Covered Entities will be allowed more flexibility to customize their cybersecurity plans to the particular weaknesses that are reflected in the risk assessments that the regulation will require the Covered Entities to perform. The department also eased the reporting requirements as to when “cybersecurity events” occur. While still requiring Covered Entities to notify DFS within 72 hours, the mandate will now apply only to incidents that Covered Entities conclude have a reasonable likelihood of compromising confidential information.
The definition of Nonpublic Information (“NPI”) has been tightened in the revised regulations. Previously defined as “any information” collected in connection with a financial product, the revised regulation includes the more commonly used and more specific definition of “[a]ny information concerning an individual which because of name, number, personal mark, or other identifier can be used to identify such individual, in combination with any one or more of the following data elements:
- Social security number;
- Drivers’ license number or non-driver identification card number;
- Account number, credit or debit card number;
- Any security code, access code or password that would permit access to an individual’s financial account; or
- Biometric records.”
The revised regulation also no longer includes as NPI “any information that can be used to distinguish or trace an individual’s identity.”
The originally proposed regulation required Covered Entities to establish third-party cybersecurity policies and procedures that treated all third parties the same in terms of the risk they presented. The revised regulation allows Covered Entities to base the terms of their cybersecurity policies and procedures that relate to third-party vendors on the specific third-party risks identified in the entity’s overall Risk Assessment. Also, instead of requiring Covered Entities to impose specific contract terms on all vendors, Covered Entities will only be required to establish “relevant guidelines” that address the third-party’s cybersecurity policies and procedures.
Despite these changes, it is clear that third parties that handle or have access to a Covered Entity’s data — including law firms and legal service providers (e.g., legal process outsourcers) — will likely be affected by the regulation. As a result, they will need to develop their own cybersecurity policies that comply with the revised regulation to continue providing services to Covered Entities. For example, as reported in the recent Wall Street Journal article entitled “Banks Try to Thwart Hackers, Take Aim at Vendors,” one bank executive was already quoted as saying, “[w]hatever controls we provide internally, we have to make sure the third party also follows.”
The revised regulation does not require that an individual within each company have the specific title of Chief Information Security Officer (“CISO”), only that a qualified individual be designated as responsible for overseeing the cybersecurity program and enforcing the cybersecurity policy. The regulation clarifies that the CISO may be employed by the covered entity, an affiliate, or a third-party service provider.
The definition of those entities that are exempt from the regulation was modified and will be defined as follows:
- Fewer than 10 employees, including independent contractors, or
- Less than $5,000,000 in gross annual revenue in each of the last three fiscal years, or
- Less than $10,000,000 in year-end total assets, calculated in accordance with generally accepted accounting principles, including assets of all affiliates.
Additional revisions to the regulation include the following:
- Allows for the use of third-party service providers (e.g., an outsourced CISO) to maintain and manage a company’s cybersecurity program;
- Adds “device management” to the list of areas that need to be addressed by a cybersecurity policy;
- The definition of “Penetration Testing” was made more specific by adding the bolded language below to the definition – “a test methodology in which assessors attempt to circumvent or defeat the security features of an Information System by attempting unauthorized penetration of databases or controls from outside or inside the Covered Entity’s Information Systems.”;
- Audit trail records retention requirements were decreased from 6 years to 5 years; and
- Limitations on user access privileges were relaxed and no longer is access solely limited to those individuals who require such access to such systems in order to perform their responsibilities.
The regulation covers any individual or entity operating under a license, registration, charter, certificate permit, accreditation or similar authorization under New York state banking, insurance or financial services laws, with the above exception for small entities.
As the regulation is mandatory, Covered Entities should immediately undertake a review of their cybersecurity policies and programs to ensure they are in compliance when the regulation goes into effect on March 1, 2017. Further, third parties that provide services to Covered Entities should also ensure they are compliant, as failure to do so could jeopardize their ability to provide services to Covered Entities.
The full text of the regulation can be viewed here.
Working with cyber professionals, Hickey Smith takes a holistic approach to advising clients on cyber issues while maintaining the confidentiality protections afforded by the attorney-client privilege and work product doctrine. Hickey Smith has worked successfully with law enforcement authorities and courts to minimize and prevent cyber incidents in the United States and abroad.
Hickey Smith is a leader in cybersecurity and is one of only a handful of law firms that is certified under ISO 27001:2013 for information security. Hickey Smith is compliant with New York Department of Financial Services revised cybersecurity regulation issued on December 28, 2016. In 2015, the National Law Journal named David Hickey a Cybersecurity & Data Privacy Trailblazer.
Hickey Smith’s cybersecurity team can work with and guide insurance companies, banks, other financial institutions, and their respective third parties to become and remain compliant with New York’s proposed cybersecurity regulation.
For more information, please contact one of our cybersecurity team leaders listed below.
David Hickey at firstname.lastname@example.org or 626-737-9505
Rene Kahn at email@example.com or 626-737-6236
Jason Balogh at firstname.lastname@example.org or 415-813-4455