NYDFS Revises Cybersecurity Regulations Incorporating Risk-Based Approach; Maintains Prescriptive Requirements and Certifications

On December 28, 2016, the New York State Department of Financial Services (the “NYDFS”) issued revised proposed regulations setting forth minimum requirements for NYDFS-regulated entities to address cybersecurity risk (“Revised Proposed Regulations”).  The NYDFS issued the Revised Proposed Regulations after considering feedback and criticism submitted during a 45-day comment period to address the initial proposal, issued on September 13, 2016.  The agency has announced an additional and final 30-day comment period from the date of publication to address new comments not previously raised in the original comment process.

The Revised Proposed Regulations scale back some elements of the proposal, building in certain flexibility for the diversity of programs and organizational structures, while leaving other requirements largely intact.  The most significant change is the NYDFS’s adoption of a “risk based” approach to addressing cybersecurity risk.  The NYDFS’s initial proposal was strongly criticized for its “one size fits all” approach which failed to account for significant variations among entities’ business models and operations, IT systems and risk profiles.  Under the new proposal, cybersecurity programs are designed to reflect an entity’s individual “Risk Assessment” of its Information Systems, how it collects and stores Nonpublic Information and the availability and effectiveness of controls to protect each.  The Risk Assessment process must be designed so that entities can respond to technological developments and “evolving threats.”

A number of controversial elements of the Revised Proposed Regulations remain intact, including the requirement that a Covered Entity not only maintain a cybersecurity program but annually certify its program to DFS through board (or senior officer) approval.  Covered Entities are also required to maintain a cybersecurity policy and establish a written incident response plan which address all of the areas dictated by the Revised Proposed Regulations.  On the whole, the proposal retains prescriptive requirements pertaining to penetration testing, access privileges, application security, cybersecurity personnel and intelligence, third-party service provider management, data retention, and training and monitoring.  Such specific and mandated detail is, as NY DFS recognizes, “first in the nation.”

Some other key changes to the proposed regulations include:

  • Recognition that entities may adopt an affiliate’s cybersecurity program, provided that it adequately covers the entity’s information systems and nonpublic information.
  • A narrowed definition of “Nonpublic Information:”
    • The first element of the definition has been narrowed to include “business related information” (as opposed to “any” business related information) the tampering with which, or unauthorized disclosure, access, or use of which, would cause a material adverse impact to the business, operations, or security of the Covered Entity triggering certain reporting requirements.
    • The second element of the definition has been limited to apply only to information that can be used to identify an individual, in combination with one or more other data elements, which include the individual’s social security number, drivers’ license number or other identification card number, account number, credit or debit card number, any code or password that would permit access to an individual’s financial account, or biometric records. The initial proposal defined the term broadly to include any information provided by an individual to an entity (or that the entity otherwise obtains) in connection with any financial product/service or transaction, without regard to whether it can be used to identify an individual.
  • A new definition of “Third-Party Service Provider,” limited to a non-affiliate of the Covered Entity which provides services to the entity and maintains, processes, or is permitted access to Nonpublic Information through such services.
  • A revised breach notification requirement for notice of events “that have a reasonable likelihood of materially harming any material part of the normal operation(s) of the Covered Entity.”  The initial proposal required a breach report regardless of the risk of material harm — a report was required whenever a Cybersecurity Event has a reasonable likelihood of materially affecting “the normal operation” of a Covered Entity or that “affects Nonpublic Information.”
  • Revised encryption and multi-factor authentication standards to recognize a risk-based approach, including the potential for compensating controls.
    • Mandatory encryption is no longer required.  A Covered Entity must implement controls, including encryption, to protect Nonpublic Information held or transmitted by a Covered Entity, both in transit over external networks and at rest.  To the extent a Covered Entity determines that encryption of Nonpublic Information in transit over external networks (or Nonpublic Information at rest) is not feasible, the Covered Entity may instead use alternate controls reviewed and approved by the CISO. Under the first version of the Proposed Regulation, unless the regulation’s Limited Exemption applies (or encryption is not currently feasible), a Covered Entity was required to encrypt all Nonpublic Information held or transmitted by the Covered Entity both in transit and at rest.
    • Multi-Factor authentication (to protect against unauthorized access to Nonpublic Information or Information Systems) is no longer mandatory in all circumstances.  A Covered Entity may now use “effective controls”, which may include Multi-Factor Authentication or Risk-Based Authentication, although multi-Factor authentication is mandatory for any individual accessing a covered Entity’s internal networks from an external network, unless the Covered Entity’s Chief Information Security Officer (CISO) approves (in writing) “reasonably equivalent” or “more secure access” controls.  Multi-Factor authentication is defined as verification of at least two of the following three types of authentication factors: (1) knowledge (password); (2) possession (token or text on a mobile phone); and (3) inherence (biometric characteristic). “Risk-Based Authentication” detects anomalies or changes in the normal use patterns of a person and requires additional verification of the person’s identity when such deviations or changes are detected (such as the use of “challenge questions”).
  • Written policies may be approved by a senior officer, the board, or an appropriate committee of the board.
  • The limited exemptions in the Proposed Regulations have been revised.  Among other things, a category of limited exemption was added:  Covered Entities with less than 10 employees, including any independent contractors.
  • The Proposed Regulations now make clear that a Chief Information Security Officer (CISO) need not be employed by a Covered Entity and may be employed by the Covered Entity’s affiliate or a Third Party Service Provider.  The CISO would now be required to report annually (not bi-annually) to the Covered Entity’s board of directors concerning the cybersecurity program.
  • Audit trail requirements have been pared down.  The initial proposal required that audit trail system tracking and data maintenance enable the complete reconstruction of all financial transactions and accounting necessary to enable detection and responses to Cybersecurity Events.  The Revised Proposed Regulations now require Covered Entities to: (a) maintain systems that (to the extent applicable and based on its Risk Assessment) can reconstruct material financial transactions sufficient to support normal operations and obligations of the Covered Entity; and (b) include audit trails designed to detect and respond to Cybersecurity Events that have a reasonable likelihood of materially harming any material part of the normal operations of the Covered Entity.
  • There is explicit recognition that information submitted pursuant to the regulations are exempt from public disclosure.

The Revised Proposed Regulations will be open for comment for 30 days after being published in the New York State Register (which was December 28, 2016).  The Revised Proposed Regulations contemplate an effective date of March 1, 2017, and Covered Entities would be given 180 days from that date to comply with the final regulations, except for certain enumerated provisions for which longer compliance periods are specified.  The annual certification of compliance will be required beginning on February 15, 2018.