On September 1, 2018, five new requirements included in the New York State Department of Financial Services' (DFS) Cybersecurity Regulation go into effect – (1) audit trails, (2) application security, (3) data disposal requirements, (4) monitoring authorized users' activity, and (5) encryption of nonpublic information. Of these, the requirement to encrypt nonpublic information when held at rest or transmitted over external systems may be the most burdensome for businesses. Entities that fall within the Regulation's limited exemption provided in Section 500.19(a) (e.g., fewer than 10 employees, less than $5 million in gross annual revenue for last three years, or less than $10 million in year-end total assets) are exempt from complying with any of these provisions, aside from the data disposal requirement. All other covered entities are expected to be in compliance as of September 1.
DFS has not yet provided guidance as to when it will begin to penalize noncompliance with the Regulation, or what penalties may look like. Absent additional insight, covered entities would be wise to take action now to ensure they are in compliance with the Regulation.
- Audit Trails – Section 500.06 requires
all non-exempt covered entities to maintain systems to facilitate
reconstruction of material financial transactions and cybersecurity
audit trails, and to retain related records for three to five
years. Covered entities are expected to have systems in place to
reconstruct material financial transactions sufficient to support
the entities' normal operations and obligations. Records
related to these systems must be maintained for five years. Covered
entities also must have audit trails designed to detect and respond
to cybersecurity events that have a reasonable likelihood of
materially harming any material part of their normal operations.
Records related to these audit trails must be maintained for three
years.
- Application Security – Section 500.08
requires all non-exempt covered entities to include in their
cybersecurity programs written policies and procedures to (1)
ensure secure development practices for internally-developed
applications, and (2) to evaluate, assess, or test the security of
externally-developed applications they utilize.
- Data Disposal Requirements – Section
500.13 requires all covered entities, including those covered by
the limited exemption, to include in their cybersecurity programs
policies and procedures for the secure disposal of nonpublic
information that is no longer necessary for business operations or
for other legitimate business purposes. Covered entities are
permitted to retain such information if they are otherwise required
to retain it by another law or regulation, or where targeted
disposal is not reasonably feasible due to the manner in which the
information is maintained.
- Monitoring Authorized Users' Activity
– Section 500.14(a) requires all non-exempt covered entities
to implement risk-based policies, procedures, and controls to
monitor the activity of authorized users and detect if those users
are improperly using or tampering with nonpublic information. The
definition of authorized users includes employees, contractors,
agents or other persons who participate in a covered entity's
business operations and are authorized to access and use any
information systems and data of the covered entity. As a result,
this provision potentially requires the monitoring of a broad range
of personnel.
- Encryption of Nonpublic Information – Section 500.15 requires all non-exempt covered entities to, as part of their cybersecurity program based on their risk assessments, implement controls, including encryption or use another effective alternative control, to protect all nonpublic information when held or transmitted over external systems by the covered entity. If they determine that encryption is infeasible either for information at rest or in transit, covered entities may only use an effective alternative control if the alternative is reviewed and approved by their chief information security officer. This encryption requirement is in keeping with developing best practices in some industries.
After September 1, the next and last of the Regulation's rolling implementation deadlines is March 1, 2019 when all covered entities, even those subject to the limited exemption, are required to have a third party service provider policy in place. As of March 1, 2019, all provisions of the Cybersecurity Regulation will be in force.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.