New York State Department of Financial Services Proposes Regulations Imposing Detailed Cybersecurity Rules on Insurance, Banking and Other Licensed Financial Institutions
On September 13, 2016, the New York State Department of Financial Services (“NYDFS”) proposed regulations outlining minimum requirements for NYDFS-regulated entities to address cybersecurity risk (“Proposed Regulations”). The NYDFS regulates entities and products that are subject to New York insurance, banking and financial services laws. Because the scope of the Proposed Regulations includes any entity “operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the banking law, the insurance law or the financial services law,” the Proposed Regulations will cover a broad range of entities in the banking, insurance and financial services industries, including insurance producers and premium finance companies.
The Proposed Regulations expand upon the NYDFS’ outline of proposed key cybersecurity measures included in its November 2015 letter to members of the Financial and Banking Information Infrastructure Committee (“FBIIC”), discussed in a prior post. The NYDFS’ longstanding interest in cybersecurity is well known, and its Proposed Regulations are the culmination of numerous research, investigations and reports concerning cybersecurity risk, conducted both before and after the NYDFS issued its cybersecurity letter in November 2015. However, because the Proposed Regulations are a unilateral measure by the NYDFS it is not clear that this proposal will necessarily advance, and it may even hinder, NYDFS’ stated interest in collaboration and harmonizing cybersecurity regulations for “regulatory convergence among our agencies on new, strong cyber security standards for financial institutions.” Letter from Anthony Albanese, Acting Superintendent of Financial Services to FBIIC Members, Re: Potential New NYDFS Cyber Security Regulations Requirements (Nov. 9, 2015).
Key points of the Proposed Regulations include the following requirements of “Covered Entities”:
- appointment of a Chief Information Security Officer who reports at least biannually to the Board of Directors and makes those reports available to the NYDFS;
- Board review and senior officer approval of the written cybersecurity/information security policy (including an incident response plan) at least annually;
- penetration testing (at least annually),vulnerability assessments (at least quarterly) and written risk assessments (at least annually) of the entity’s information systems;
- encryption of certain nonpublic data in transit and at rest (a transition period with compensating controls is provided if such encryption is currently infeasible);
- multi-factor authentication for external access to internal databases and privileged access to nonpublic information, and risk-based and multi-factor authentication for certain web-based applications processing nonpublic information;
- limitations on the retention of nonpublic information;
- regular employee training and monitoring of authorized users with access to nonpublic information;
- incident response procedures and internal reporting on “Cybersecurity Events” that broadly include even attempted and unsuccessful efforts to gain access to or disrupt the entity’s information system;
- 72-hour notification to the New York Superintendent of Financial Services (the “Superintendent”) of Cybersecurity Events that have a reasonable likelihood of materially affecting the normal operation of the entity or that affect nonpublic information; and
- an annual certification to the Superintendent by the entity’s Board of Directors (or alternatively a senior officer) that the entity is in compliance with the regulations.
The Proposed Regulations go well beyond safeguarding customer information, and also cover business continuity, system availability, quality assurance and other operational factors.
The Proposed Regulations apply to “Covered Entities” which are defined as any person (individual or entity) operating under a license, registration, charter, certificate, permit, accreditation or similar authorization under the New York banking, insurance or financial services law. Covered Entities would include any branch or agency of a foreign banking organization licensed by the NYDFS.
Covered Entities are required to designate a Chief Information Security Officer (“CISO”) and develop a written cybersecurity policy that details procedures for protecting certain information stored on the entity’s systems. Mandated technical security controls – without reference to the cost of such controls – include multi-factor authentication, and security of data accessible to third-parties and data encryption.
Under the Proposed Regulations, all Covered Entities must establish and maintain a cybersecurity program designed to ensure the confidentiality, integrity and availability of the Covered Entity’s Information Systems (“Cybersecurity Program”). “Information Systems” are expansively defined as “a discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of electronic information, as well as any specialized system such as industrial/process controls systems, telephone switching and private branch exchange systems, and environmental control systems.” This broad definition would appear to impose requirements on telephone exchange systems and even potentially HVAC systems, despite the paucity of attacks known to have targeted such systems and the particular complexities of protecting such, often bespoke, systems.
The Proposed Regulations provide a limited exemption for small entities (the “Limited Exemption”) to some of the provisions therein, such as the requirement that a Covered Entity appoint a CISO, implement multi-factor authentication controls and encrypt “Nonpublic Information” (as defined in Section 500.01(g) of the Proposed Regulations). The Limited Exemption applies to Covered Entities with: (1) fewer than 1,000 customers in each of the last three calendar years, (2) less than $5,000,000 in gross annual revenue in each of the last three fiscal years, and (3) less than $10,000,000 in year-end total assets, calculated in accordance with generally accepted accounting principles, including assets of all affiliates. Covered Entities that cease to qualify for the Limited Exemption have 180 days from the date of its most recent fiscal year end to comply with all provisions of the Proposed Regulations. The Limited Exemption is a distinctly formalized and limited iteration of the flexibility found in most other information security guidance and regulations.
Following is a summary of the Proposed Regulations:
1. Cybersecurity Program
The Proposed Regulations require that a Covered Entity establish a Cybersecurity Program that uses “defensive infrastructure” and protects Information Systems (and Nonpublic Information stored thereon), from unauthorized access or use or other malicious acts. The Cybersecurity Program must provide for detecting and responding to Cybersecurity Events as well as recovering from them. “Cybersecurity Event” is defined as any act (or attempt, successful or not) to gain unauthorized access to, disrupt or misuse an Information System or information stored thereon.
2. Cybersecurity Policy
A Covered Entity must maintain a written cybersecurity policy (“Cybersecurity Policy”) that addresses topics such as information security, disaster recovery planning, system and network monitoring and security, customer data privacy, vendor and third-party service provider (“TPSP”) management, risk assessment and incident response. At least annually, the Cybersecurity Policy must be reviewed by the Covered Entity’s board of directors (“Board”), or equivalent governing body, and approved by a Senior Officer of the Covered Entity. A “Senior Officer” means a senior individual or individuals (acting collectively or as a committee) responsible for the management, operations, security, information systems, compliance and/or risk of a Covered Entity.
3. Incident Response Plans
A Covered Entity that does not qualify for the Limited Exemption must establish a written incident response plan that addresses internal processes for responding to a Cybersecurity Event, clear roles and levels of decision-making authority, and external and internal communications and information sharing.
4. Notices to NYDFS
The Proposed Regulations require a Covered Entity to notify the NYDFS of any Cybersecurity Event that has a reasonable likelihood of “materially affecting the normal operation of the Covered Entity or that affects Nonpublic Information.” The Proposed Regulations do not specify whether a risk of harm to individuals may be considered.
The notice must be made as promptly as possible but in no event later than 72 hours after a Covered Entity becomes aware of the Cybersecurity Event. This timeframe is significantly more aggressive than every other state data breach notification timeframe and reflects the same timeframe as the European Union’s General Data Protection Union. An event triggering such notice would include a Cybersecurity Event for which notice is provided to any government or self-regulatory agency, or a Cybersecurity Event involving the actual or potential unauthorized tampering with, or access to or use of, Nonpublic Information.
Covered Entities must also submit a written statement (in a form attached to the Proposed Regulations) to the NYDFS (annually, by January 15) certifying that the Board of the Covered Entity (or Senior Officer) has reviewed all necessary documents and reports (of its officers, employees and outside vendors) and that, to the best of the Board’s/Senior Officer’s knowledge, the Cybersecurity Program complies with the Proposed Regulations, as adopted in final form.
5. Chief Information Security Officer
Unless the Limited Exemption applies, a Covered Entity would be required to designate a Chief Information Security Officer (“CISO”) responsible for overseeing its Cybersecurity Program and enforcing its Cybersecurity Policy. To the extent a TPSP is used for this purpose, the Covered Entity must retain responsibility for compliance with the Proposed Regulations and must designate a senior member of the Covered Entity’s personnel responsible for oversight of the TPSP. In addition, the TPSP itself must maintain a cybersecurity program that meets the requirements of the Proposed Regulations. The CISO must prepare and deliver, at least bi-annually, certain reports to the Covered Entity’s Board, or equivalent governing body, which reports are available to the NYDFS upon request. Each report must identify cybersecurity risks to the Covered Entity, assess the confidentiality, integrity and availability of the Covered Entity’s Information Systems and effectiveness of its Cybersecurity Program, and propose steps to remediate any identified inadequacies. Such reports must also detail the exceptions to the Cybersecurity Policy and summarize all material Cybersecurity Events that affected the Covered Entity during the time period addressed by the report.
6. Encryption of Nonpublic Information
Perhaps most significantly, unless the Limited Exemption applies, the Proposed Regulations require that a Covered Entity encrypt all Nonpublic Information held or transmitted by the Covered Entity both in transit and at rest – moving well beyond the existing best practices of encrypting such information only during transit and while on portable media. If encryption of such information is “currently infeasible”, a Covered Entity can use alternative controls that are approved by the CISO, but such alternative controls for information in transit may not be used after one year from the date the Proposed Regulations become final and effective and after five years for information at rest. As a result of this requirement, certain legacy information systems not capable of operating effectively with encryption at rest will need to be replaced or materially modified within five years.
7. Penetration Testing and Auditing
Unless the Limited Exemption applies, all Cybersecurity Programs must provide for penetration testing and maintain audit trail systems. Penetration testing of the Covered Entity’s Information Systems (at least annually) as well as vulnerability assessments (at least quarterly) would be required. Audit trail systems would track and maintain data that allows for a complete reconstruction of all financial transactions and accounting necessary to enable the Covered Entity to detect and respond to a Cybersecurity Event, and data-logging of all privileged authorized user access to critical systems. The audit trail systems must also protect from alteration or tampering the integrity of data stored as part of any audit trail and the integrity of hardware, including by limiting electronic and physical access permissions to hardware and maintaining logs of physical access to hardware that allows for event reconstruction. The audit trail system should also log system events including access and alterations made to the audit trail systems by the systems or by an authorized user, and all system administrator functions performed on the systems. Audit trail records must be retained for at least six years.
8. Access Privileges
To the extent Nonpublic Information can be accessed on Information Systems, access privileges should be limited solely to individuals who require access to perform their responsibilities and such privileges should be periodically reviewed.
9. Application Security
Absent a Limited Exemption, a Covered Entity must have written procedures and standards in place to ensure the use of secure development practices for in-house developed applications utilized by the Covered Entity, as well as procedures for assessing and testing the security of all externally developed applications utilized by the Covered Entity. At least annually, the CISO must review, assess and update such procedures and standards.
10. Risk Assessment
At least annually, a Covered Entity must conduct a risk assessment of its Information Systems that is documented in writing. As part of the risk assessment, the Covered Entity must identify what criteria was used to evaluate and categorize risks and to assess the adequacy of existing controls in the context of identified risks. Documentation is required to describe how identified risks will be mitigated (or accepted), justify such decisions in light of risk assessment findings, and assign accountability for the identified risks.
11. Cybersecurity Personnel and Intelligence
Unless the Limited Exemption applies, a Covered Entity must employ sufficient cybersecurity personnel to manage cybersecurity risks and to perform the core functions of: identifying internal and external cyber risks (including the ability to access Nonpublic Information); protecting Information Systems from unauthorized access or malicious acts; and detecting, responding to, and recovering from Cybersecurity Events. Cybersecurity personnel must be trained and stay up to date on changing cybersecurity threats and countermeasures. A Covered Entity may use a qualified third party to assist its compliance with this provision, subject to the Proposed Regulation’s requirements concerning Third Party Information Security Policy.
12. Third-Party Service Provider Management
A Covered Entity would need to address the security of data that is accessible to or held by TPSPs. Covered Entities must have written policies and procedures for identifying and assessing TPSPs with access to Information Systems and Non-Public Information. Due diligence procedures must be established to evaluate a TPSP’s cybersecurity practices, and annual periodic assessments of TPSPs are required. Such policies and procedures must include the establishment of preferred terms of TPSP contracts, including provisions specifying technical controls such as multi-factor authentication and data encryption, as well as more procedural protections, such as requiring notice to the Covered Entity in the event of a cybersecurity incident, the right of a Covered Entity to perform cybersecurity audits of the TPSPs, contractual representations and warranties (that the TPSP product/service is free of viruses, trap doors, time bombs and other problems), and identity protection services for customers materially impacted by a Cybersecurity Event as a result of the TPSP’s negligence or willful misconduct.
13. Multi-Factor Authentication
The Proposed Regulations would, unless the Limited Exemption applies, require Multi-Factor Authentication for any individual accessing the Covered Entity’s internal systems or data from an external network and for privileged access to database servers that allow access to Nonpublic Information – thereby requiring Multi-Factor Authentication even for accessing customer databases while inside company offices on its own network. “Multi-Factor Authentication” means authentication through verification of at least two of the following types of authentication factors: (a) knowledge factors (such as a password); (b) possession factors (such as a token or text message on a mobile phone); or (c) inherence factors (such as a biometric characteristic). Risk-based authentication that requires additional verification when the system detects anomalies or changes in the normal use patterns of a person would also be required to access web applications that capture, display or interface with Nonpublic Information. A Covered Entity must support Multi-Factor Authentication for any individual accessing such applications.
14. Data Retention Limitations
The Proposed Regulations require that a Covered Entity establish policies and procedures for the timely destruction of Nonpublic Information that is not necessary for providing products or services, except where law or regulation requires retention. This requirement would essentially mandate a document retention policy.
15. Training and Monitoring
Unless a Limited Exemption applies, a Covered Entity must monitor activity of its authorized users and detect unauthorized access, use or tampering with Nonpublic Information and require all personnel to attend regular cybersecurity awareness training sessions that are updated to reflect risks identified in the Covered Entity’s annual risk assessment.
The Proposed Regulations will be open to comment for 45 days after it is published in the New York State Register (which will be September 28, 2016). If and when adopted, it will be codified as part of Title 23 of the New York Codes, Rules and Regulations (NYCRR) under the authority of the New York Financial Services Law. The Proposed Regulations contemplate an effective date of January 1, 2017 and Covered Entities would have 180 days from the effective date to comply with the final regulations. Submission of the annual certification of compliance to the NYDFS would commence on January 15, 2018.