New York cybersecurity regulations

Another set of regulations, another set of discussions between attorneys and clients, now requiring very detailed insight into what is possible on the market from the cybersecurity engineering world: How to make the response practical, effective and valuable is, of course, the goal.

Who must comply with the Regulations

The reach of the regulations appears to be extraordinarily broad, as might be expected for regulators in “the financial capital of the world.” They apply to “Covered Entities,” defined as “any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law,” but exempt certain very small Entities—those with (1) fewer than 10 employees or independent contractors; (2) less than 5million $ in gross annual revenue each of the past three fiscal years; or (3) less than 10million $ in it and its affiliates’ GAAP year-end total assets. It is important to read and consider that definition carefully - it covers a much larger universe than one may expect. Besides banks and other obvious financial institutions, the NYDFS also regulates insurance companies, including health insurers, mortgage lenders, mortgage brokers and any other businesses covered by any of the New York Banking, Insurance or Financial Services Laws. And, because the touchstone of the Regulations is authorization from the NYDFS, the Regulations, by their terms, apply to national and international concerns with headquarters and even substantially all operations, outside of New York, so long as they are operating within the State of New York, under NYDFS authorization and do not fall within the de minimis exceptions provided in the Regulations.

When do the Regulations take effect

1. 3. 2017 and 180-day transition period. Entities must file their first annual certifications with the NYDFS no later than February 15, 2018.

What do the Regulations require

The Regulations are intended to create an expansive, integrated, risk-based system to ensure that regulated entities develop and maintain robust cybersecurity capabilities and, therefore, are able to properly safeguard sensitive nonpublic information in their possession.

The following are some of the most critical elements of the regulations:

Cybersecurity Program
Each entity must develop, implement and maintain a cybersecurity program, based on its risk assessment (discussed below), that performs these core functions:
Identify and assess internal and external cyber risks to the security or integrity of information stored on the Entity’s information systems,
Create infrastructure and implement policies and procedures to prevent unauthorized access to the Entity’s information systems and use of nonpublic information on such systems,
Detect cybersecurity events, respond to such events to mitigate adverse effects and recover and restore normal operations and services, and
Meet regulatory reporting obligations.

Cybersecurity Policy
Each entity must adopt a written cybersecurity policy, made up of policies and procedures for the protection of its information systems and of nonpublic information stored on those systems. The cybersecurity policy must be based on the entity’s risk assessment, approved by a senior officer (as defined) or the entity’s board of directors and must address the following areas to the extent applicable:
Information security,
Data governance and classification,
Asset inventory and device management,
Access controls and identity management,
Business continuity and disaster recovery planning and resources,
Systems operations and availability concerns,
Systems and network security,
Systems and network monitoring,
Systems and application development and quality assurance,
Physical security and environmental controls,
Customer data privacy,
Vendor and third-party service provider management,
Risk assessment, and
Incident response.

Monitoring, Penetration and Vulnerability Testing
For each entity (other than those exempt under the de minimis standard) must include a program of ongoing monitoring and testing, developed in accordance with the entity’s risk assessment, to assess the effectiveness of the entity’s cybersecurity program. This monitoring and testing regime must include either (1) continuous monitoring or (2) periodic penetration testing (in which the assessors “attempt to circumvent or defeat the security features of an information system”) and vulnerability assessments. In the absence of continuous monitoring, penetration testing must be performed at least annually, to identify vulnerabilities of the entity’s network security systems and vulnerability testing, including systematic scans or reviews of information systems to identify known vulnerabilities, must be undertaken at least twice annually.

Risk Assessment
Each entity must undertake a periodic risk assessment to reassess the cybersecurity risks inherent in its business operations, including its information systems and the nonpublic information it collects and stores. Compliance with a number of other requirements is, under the regulations, explicitly dependent on the risk assessments.

These requirements include the cybersecurity program, cybersecurity policy, penetration testing and vulnerability assessment and third-party service provider security policy, as well as multi-factor authentication, encryption of non-public information and training and monitoring.
While the original proposal for the regulations called for the risk assessment to be performed annually, the final regulations remove the “annual” requirement. Instead, the regulations indicate that the risk assessment must be “sufficient to inform the design” of the required cybersecurity program.

Other notable requirements under the Regulations include:

Chief Information Security Officer
Each entity (other than those exempt under the de minimis standard) must designate a Chief Information Security Officer (CISO) responsible for overseeing and implementing the institution’s cybersecurity program and enforcing its cybersecurity policy. The CISO must report to the entity’s Board of directors, at least twice annually, on a list of prescribed matters.

Third-Party Service Provider Security Policy
Each entity must have in place policies and procedures designed to ensure the security of information systems and nonpublic information accessible to, or held by, third parties.

Reporting Requirements
Entities are required to report to the DFS as follows:
Within 72 hours after a determination that a “Cybersecurity event” has occurred. A cybersecurity event is an event “that has a reasonable likelihood of materially harming any material part of the normal operations of the entity.”
No later than 15.2. of each year, each entity must certify that it is in compliance with the requirements of the regulations.

Each cybersecurity program also must include:

Implementation and maintenance of an audit trail system to reconstruct transactions and log access privileges,
Limitations and periodic reviews of access privileges,
Written application security procedures, guidelines and standards that are reviewed and updated by the CISO at least annually,
Employment and training of cybersecurity personnel,
Multi-factor authentication for individuals accessing internal systems who have privileged access or to support functions including remote access,
Timely destruction of nonpublic information that is no longer necessary,
Monitoring of authorized users and cybersecurity awareness training for all personnel,
Encryption of all nonpublic information held or transmitted, and
Written incident response plan to respond to, and recover from, any cybersecurity event.