NYDFS issues final cybersecurity regulations, setting new industry standard for cybersecurity controls
On February 16, 2017, the New York State Department of Financial Services (the “NYDFS”) issued its final regulations setting forth minimum requirements for NYDFS-regulated entities to address cybersecurity risk (“Final Regulations”). The NYDFS issued the Final Regulations after considering feedback and criticism received during two comment periods — one following the NYDFS’s initial publication of the proposed regulation (on September 13, 2016) and a second comment period after the NY DFS published a revised version of the regulation (on December 28, 2016.)
The Final Regulations will be effective as of March 1, 2017, with a transitional period of 180 days from that date for Covered Entities to comply with the Final Regulations, except for certain enumerated provisions for which longer compliance periods are specified. The annual certification of compliance (covering the prior calendar year) will be required beginning on February 15, 2018.
Overview
Generally, the Final Regulations leave intact virtually all of the prescriptive requirements included in the revised proposal. The Final Regulations retain the central requirement that a Covered Entity adopt a cybersecurity program and policies, including a written incident response plan, that address all of the areas dictated by the regulations. The cybersecurity program and policies must also be designed to reflect an entity’s individual “Risk Assessment” of its Information Systems, how it collects and stores Nonpublic Information, and the availability and effectiveness of controls to protect each. The Covered Entity must annually certify its program to DFS through board (or senior officer) approval, and notice must be given to the NYDFS within 72 hours of cybersecurity incidents that either are reported to other government or supervisory bodies or have a reasonable likelihood of materially harming the operations of the Covered Entity.
The Final Regulations also include prescriptive requirements relating to the designation of a Chief Information Security Officer (“CISO”), penetration testing, access privileges, application security, cybersecurity personnel and intelligence, third-party service provider management, data retention, encryption, multi-factor authentication, and training and monitoring. As the NYDFS recognizes, such specific mandatory requirements are “first in the nation” and may very well become the new industry standard for cybersecurity controls.
The Final Regulations respond to some of the most substantial concerns industry had with the first version of the regulation, including: (1) application of a “one-size-fits all” approach which did not account for a business’s unique business model and differences in IT systems and risk profiles; (2) a mandatory encryption requirement; and (3) no materiality standard or “harm trigger” for cybersecurity event reporting.
Risk-Based Approach
With respect to the first concern, industry trade groups had urged the NYDFS to modify its first version of the regulation to make all requirements risk-based and appropriate to each company’s risk profile, nature, size, complexity, scope of activities and sensitivity of personal customer information maintained by each company. The Final Regulations now require that cybersecurity programs reflect an entity’s individual “Risk Assessment” of its Information Systems, how it collects and stores Nonpublic Information and the availability and effectiveness of controls to protect each. The Risk Assessment process must be designed so that entities can respond to technological developments and “evolving threats.”
Encryption
The first version of the regulations required mandatory encryption unless a limited exemption applied or encryption was not currently feasible (in which case a transition period with “compensating controls” was applied.) This presented, in effect, a very broad and costly encryption requirement that may also be at odds with overall operational needs. In the Final Regulation, encryption is no longer required in all instances. Rather, a Covered Entity must implement controls, including encryption, to protect Nonpublic Information held or transmitted by the Covered Entity both in transit over external networks and at rest “unless an effective alternative compensating control” is approved by the Covered Entity’s CISO.
Harm Triggers
Under the Final Regulations, a cybersecurity event must be reported to the NY DFS if it has a reasonable likelihood of materially harming any material part of the normal operation(s) of the Covered Entity.” The first version of the regulations did not contain such a harm trigger and, as industry argued, could have required reporting of numerous unsuccessful attempts to access company Information Systems and daily occurrences of routine network activity and human errors, which would be unlikely to result in material harm to either a company or an individual subject of “Nonpublic Information”.
- The Final Regulations also clarify a few requirements that were unclear in the revised proposal. Some of those clarifications and minor revisions include:
- The Final Regulations allow a Covered Entity to meet the requirement to maintain a Cybersecurity Program (500.02) by adopting the “relevant and applicable provisions” of a cybersecurity program maintained by an Affiliate, “provided that such provisions satisfy the requirements of this Part, as applicable to the Covered Entity.”
- The Final Regulations also revise the applicable time periods for maintaining records under the Audit Trail requirement (500.06). While the required time period for maintaining records designed to reconstruct material financial transactions is still five years, the NYDFS reduced the required time period for maintaining records of audit trails designed to detect and respond to Cybersecurity Events to three years.
- The Final Regulations clarify that Notice to the Superintendent (500.17) is required when a Cybersecurity Event meets either one of two conditions, revising the prior proposed language which, by using “and” instead of “or,” left the conditions triggering notice unclear. The Final Regulations require Notice to the Superintendent no later than 72 hours from a determination that a Cybersecurity Event has occurred “that is either of the following: (1) Cybersecurity Events impacting the Covered Entity of which notice is required to be provided to any government body, self-regulatory agency or any other supervisory body; or (2) Cybersecurity Events that have a reasonable likelihood of materially harming any material part of the normal operation(s) of the Covered Entity.”
- The Final Regulations also broaden and clarify the exemptions included in Section 500.19 for entities meeting certain conditions.
- First, the Final Regulations grant a limited exemption from some substantive provisions for Covered Entities with fewer than 10 employees, including any independent contractors, “of the Covered Entity or its Affiliates located in New York or responsible for business of the Covered Entity.” The exemption also extends to Covered Entities with less than $5,000,000 in gross annual revenue in each of the last three fiscal years “from New York business operations of the Covered Entity and its Affiliates.” These entities, however, are still required to comply with the requirements relating to the Cybersecurity Program (500.02), the Cybersecurity Policy (500.03), Access Privileges (500.07), the Risk Assessment (500.09), the Third Party Service Provider Security Policy (500.11), Limitations on Data Retention (500.13), and Notices to the Superintendent (500.17).
- Second, the Final Regulations grant an exemption from many of the substantive provisions for Covered Entities under Article 70 of the Insurance Law (captive insurance companies) that “[do] not and [are] not required to directly or indirectly control, own, access, generate, receive or possess Nonpublic Information other than information relating to [their] corporate parent company (or Affiliates).” These entities, however, are still required to comply with the requirements relating to the Risk Assessment (500.09), the Third Party Service Provider Security Policy (500.11), Limitations on Data Retention (500.13), and Notices to the Superintendent (500.17).
- Third, all persons or entities subject to Insurance Law section 1110 (charitable annuity societies), Insurance Law section 5904 (risk retention groups not chartered and licensed in New York), or any accredited reinsurer or certified reinsurer pursuant to 11 NYCRR 125 are exempt from the requirements of the Final Regulations, provided that such persons or entities do not otherwise qualify as Covered Entities under the Final Regulations.