New York State has proposed a new regulation that requires insurance companies, banks, and other financial services institutions regulated by the New York State Department of Financial Services (DFS) to establish and maintain a cybersecurity program designed to protect consumers and ensure the safety and soundness of New York State’s financial services industry. Governor Cuomo said “This regulation helps guarantee the financial services industry upholds its obligation to protect consumers and ensure that its systems are sufficiently constructed to prevent cyber-attacks to the fullest extent possible.”
If enacted, this would be the first statewide regulation mandating that insurance companies, banks, and other financial institutions create such a program. The regulation would set forth fairly general minimum standards. Among other requirements, under the proposed regulation, insurance companies, banks, and other financial institutions would be required to set out detailed plans for handling data breaches, increase their monitoring of how third-party vendors handle and secure data, and appoint a chief information security officer. While many insurance companies, banks, and other financial institutions will find that elements of the proposed regulation are similar to those found in existing regulatory and technical guidance, they have not previously been required as a matter of law. How the application of these requirements interacts with the expectations of other regulators with overlapping jurisdiction, and how those requirements are implemented by institutions that operate across multiple states or countries, will have to be examined by each such institution.
The proposed regulation is subject to a 45-day notice and public comment period beginning September 28, 2016, before its final issuance. Entities subject to the new regulation, if it goes into effect, would have 180 days to comply after the effective date. If the proposed regulation goes into effect, we expect other states to soon follow in New York’s footsteps and enact similar regulations of their own. We also expect the Federal government to enact similar mandates in the not too distant future. Earlier this year, the current administration put in place cybersecurity requirements for government contractors.
Who Is Covered?
The proposed regulation covers any individual or entity operating under a license, registration, charter, certificate permit, accreditation or similar authorization under New York state banking, insurance or financial services laws (a Covered Entity), with an exception for small entities.
Much of the proposed regulation focuses on systems that include nonpublic information. Nonpublic information is defined as all electronic information that is not publicly available and is (1) business related information that if disclosed or tampered with could cause a material adverse impact to the Covered Entity’s business, operations or security, (2) any information that an individual provides to a Covered Entity in connection with obtaining a financial product or service, results from a transaction with the individual, or a Covered Entity otherwise obtains about the individual in connection with providing a financial product or service to that individual, (3) about an individual’s health and is received from a health care provider or individual or from the payment of health care costs, and (4) can be used to distinguish or trace an individual’s identity and is linked or linkable to an individual.
The second definition, information relating to the provision of financial products or services, generally tracks how personal information is defined under the Gramm-Leach-Bliley Act and will likely not be controversial. The third definition relating to insurance information, is loosely based on the definition provided in the Health Insurance Portability and Accountability Act, but given that the proposed regulation covers a wide swath of businesses that are not engaged in the health care industry, it would require entities to consider how they store and handle employee health information that they might receive. The final category of what is considered nonpublic information creates an unusually broad definition of what constitutes personal information. Specifically, it includes not only traditional categories of personal information, such as name, social security number, date and place of birth, mother’s maiden name but also includes, but is not limited to medical, educational, financial occupational or employment information, information about an individual used for marketing purposes or any password or other authentication factor. This picks up on a new trend to classify information as personal information if it can simply be used as a building block toward identifying an individual. Insurance companies, banks, and other financial institutions will need to carefully consider whether any type of information they have about individuals is nonpublic information.
- Establishment of a Cybersecurity Program designed to ensure the confidentiality, integrity, and availability of information systems that performs five core cybersecurity functions:
- Identification of cyber risks.
- Implementation of policies and procedures to protect unauthorized access/use or other malicious acts.
- Detection of cybersecurity events.
- Responsiveness to identified cybersecurity events to mitigate any negative events.
- Recovery from cybersecurity events and restoration of normal operations and services.
- Adoption of a Cybersecurity Policy setting forth policies and procedures for the protection of their information systems and nonpublic information that addresses, at a minimum, the following:
- Information security.
- Data governance and classification.
- Access controls and identity management.
- Business continuity and disaster recovery planning and resources.
- Capacity and performance planning.
- Systems operations and availability concerns.
- Systems and network security.
- Systems and network monitoring.
- Systems and application development and quality assurance.
- Physical security and environmental controls.
- Customer data privacy.
- Vendor and third-party service provider management.
- Risk assessment.
- Incident response.
- Chief Information Security Officer (CISO) responsible for overseeing and implementing the institution’s cybersecurity program and enforcing its cybersecurity policy. The CISO must report to the board, at least bi-annually, to:
- Assess the confidentiality, integrity, and availability of information systems.
- Detail exceptions to cybersecurity policies and procedures.
- Identify cyber risks.
- Assess the effectiveness of the cybersecurity program.
- Propose steps to remediate any inadequacies identified.
- Include a summary of all material cybersecurity events that affected the regulated institution during the time period addressed by the report.
- Third-Party Service Providers. Regulated entities must have policies and procedures designed to ensure the security of information systems and nonpublic information accessible to, or held by, third-parties and include the following:
- Identification and risk assessment of third-parties with access to such information systems or such nonpublic information.
- Minimum cybersecurity practices required to be met by such third-parties.
- Due diligence processes used to evaluate the adequacy of cybersecurity practices of such third-parties; and
- Periodic assessment, at least annually, of third-parties and the continued adequacy of their cybersecurity practices.
This mandate will likely extend to law firms who service insurance companies, banks, and other financial institutions. It is unlikely that there will be a carve-out for law firms.
- Additional Requirements. Each cybersecurity program shall include the following:
- Annual penetration testing and vulnerability assessments.
- Implementation and maintenance of an audit trail system to reconstruct transactions and log access privileges.
- Limitations and periodic reviews of access privileges.
- Written application security procedures, guidelines, and standards that are reviewed and updated by the CISO at least annually.
- Annual risk assessment of the confidentiality, integrity, and availability of information systems; adequacy of controls; and how identified risks will be mitigated or accepted.
- Employment and training of cybersecurity personnel to stay abreast of changing threats and countermeasures.
- Multi-factor authentication for individuals accessing internal systems who have privileged access or to support functions including remote access.
- Timely destruction of nonpublic information that is no longer necessary except where required to be retained by law or regulation.
- Monitoring of authorized users and cybersecurity awareness training for all personnel.
- Encryption of all nonpublic information held or transmitted. For in transit data, this requirement is effective one year from the effective date of the regulation. For at rest data, this requirement is effective five years from the effective date as long as there are compensating controls.
- Written incident response plan to respond to, and recover from, any cybersecurity event.
The full text of the proposed regulation can be viewed here.
Hickey Smith is already in compliance with nearly all of the requirements in the proposed cybersecurity regulation under our ISO 27001 security certification and information security management system (ISMS). Moreover, Hickey Smith has provided guidance to other entities in becoming cybersecurity compliant both in the US and abroad.
Hickey Smith’s cybersecurity team can work with and guide insurance companies, banks, other financial institutions, and their respective third party vendors to become and remain compliant with New York’s proposed cybersecurity regulation.
Hickey Smith is a leader in cybersecurity and is one of only a handful of law firms that have achieved ISO 27001:2013 certification for information security. In 2015, David Hickey was named a Cybersecurity & Data Privacy Trailblazer by The National Law Journal.
For more information, please contact one of our cybersecurity team leaders listed below.
David Hickey at email@example.com or 626-737-9505
Rene Kahn at firstname.lastname@example.org or 626-737-6236
Jason Balogh at email@example.com or 415-813-4455