United States: New York Department Of Financial Services Revises Proposed Cybersecurity Regulations

On December 28, 2016, the New York Department of Financial Services (the DFS) issued a revised version of proposed regulations (the Revised Proposal) regarding cybersecurity requirements that would apply to financial services firms that are licensed, or are otherwise granted operating privileges, by the DFS (Covered Entities). As described in our September 26, 2016 bulletin titled New Cybersecurity Rules May Apply Imminently to a Wide Range of Financial Services Firms in New York State, the DFS first proposed cybersecurity regulations on September 13, 2016 (the Original Proposal). The DFS is inviting comments on its Revised Proposal until January 27, 2017. The Revised Proposal is expected to become effective as of March 1, 2017, subject to the compliance transition periods discussed further below.

The changes reflected in the Revised Proposal resulted, in part, from the substantial public comments submitted in response to the Original Proposal. Although the Revised Proposal addresses several areas of concern or confusion for financial services firms, certain questions of scope and liability remain. Notwithstanding the intended effects of the revisions to accommodate suggestions from commenters, the Revised Proposal's requirements remain extensive and may impose significant compliance burdens on Covered Entities.

Notable Changes to the Original Proposal

Cybersecurity Risk Assessments and Program Requirements. One key emphasis in the Revised Proposal is on Covered Entities' risk assessments, which, as the Revised Proposal makes clear, are to be a central factor in the development of systems, policies and procedures for compliance with the cybersecurity regulations. This emphasis appears to reflect DFS's acknowledgment that the Original Proposal's prescribed "one-size-fits-all" requirements for cybersecurity programs were, arguably, at odds with the DFS's stated objective that such programs be risk-based. Although the development of a cybersecurity program based upon an individualized and somewhat fluid risk assessment may result in greater costs and require more effort, that approach will permit greater flexibility and more easily attainable objectives for Covered Entities when developing compliant cybersecurity programs. This will be particularly true for those smaller and less complex institutions that may not require the cybersecurity compliance infrastructure needed by most larger and more interconnected institutions. Notably, the Revised Proposal also relieves a Covered Entity from establishing a cybersecurity program that will "ensure" the confidentiality, integrity and availability of the Covered Entity's information systems (as was required under the Original Proposal); instead, Covered Entities' cybersecurity programs must be designed to "protect" those aspects of their information systems.

With respect to cybersecurity personnel and resources, whereas the Original Proposal required Covered Entities to "employ" qualified cybersecurity personnel to manage cybersecurity risks and perform the core functions of their cybersecurity programs, the Revised Proposal more broadly requires Covered Entities to "utilize qualified personnel of the Covered Entity, an Affiliate or a Third Party Service Provider" in carrying out cybersecurity program-related responsibilities and other applicable requirements. Although Covered Entities must field a minimum level of cybersecurity experience and expertise, this broader language in the Revised Proposal permits the contracting of external personnel rather than the full-time employment of in-house resources.

Nonpublic Information. "Nonpublic information" (NPI)—the security and integrity of which the cybersecurity regulations are designed to protect—is defined slightly differently under the Revised Proposal than in the Original Proposal. The revised definition of NPI continues to include the "business-related information of a Covered Entity the tampering with which, or unauthorized disclosure, access or use of which, would cause a material adverse impact to the business, operations or security of the Covered Entity." The Revised Proposal, however, narrows and consolidates the other categories of NPI.

Under the Original Proposal, NPI included the above-described business-related information, as well as any information (i) provided by an individual to a Covered Entity in connection with the seeking or obtaining of any financial product or service from the Covered Entity, (ii) about an individual resulting from a transaction involving a financial product or service between a Covered Entity and an individual, (iii) that a Covered Entity otherwise obtains about an individual in connection with providing a financial product or service to that individual, or (iv) that can be used to distinguish or trace an individual's identity. In general, industry commenters viewed this definition as overbroad. Perhaps in recognition of these concerns, the DFS in the Revised Proposal limits the scope of covered identifying information to information concerning an individual which because of name, number, personal mark, or other identifier can be used to identify such individual, in combination with any one or more of the following data elements: (i) social security number, (ii) drivers' license number or non-driver identification card number, (iii) account number, credit or debit card number, (iv) any security code, access code or password that would permit access to an individual's financial account, or (v) biometric records.

The Revised Proposal's definition of NPI relating to individuals, although still broad, is consistent in many ways with the definition of protected "private information" under New York's Information Security Breach and Notification statute, as well as the data security and breach notification laws of many other jurisdictions. The revised definition may therefore mitigate the need for Covered Entities to maintain a separate classification of protected information for purposes of compliance with the Revised Proposal. However, the inclusion of business-related information remains very broad, and might include information such as emails, strategy documents and sensitive operating procedures, all of which would be subject to the obligation to protect, as well as the Revised Proposal's requirements relating to encryption of data in transit and at rest.

Access Controls and Encryption. Under the Revised Proposal, Covered Entities' use of multi-factor authentication and encryption for the protection of information systems and NPI generally may be based on the risk assessments of those firms. Thus, a Covered Entity with a lower cybersecurity risk profile may elect to adopt certain risk-based authentication techniques that are less burdensome or costly than multi-factor authentication. However, multi-factor authentication (which is defined specifically, and does not include methods like device-based authentication) must still be used for any individual accessing the entity's internal networks from an external network "unless the Covered Entity's Chief Information Security Officer (CISO) has approved in writing the use of reasonably equivalent or more secure access controls." Firms may view reliance on a written determination by the CISO that an alternative method is "reasonably equivalent" or "more secure" as riskier than conforming to the general rule. The Revised Proposal therefore maintains a certain technology preference, arguably persuading Covered Entities to use the method specifically allowed by the regulations, and dampening the potential use of other (and perhaps more innovative) technologies or methods.

Similarly, while the Original Proposal mandated the encryption of NPI while at rest or during transmission across external networks, the Revised Proposal allows Covered Entities to implement reasonable controls for the protection of NPI held or transmitted on external networks. However, as with the above-described multi-factor authentication provision, "to the extent a Covered Entity determines that encryption of [NPI] [in transit over external networks or at rest] is infeasible, the Covered Entity may instead secure such [NPI] using effective alternative compensating controls reviewed and approved by the Covered Entity's CISO." The use of an alternative method therefore requires a finding that the use of encryption is "infeasible," and a written determination to use an alternative method—again tilting the technological choice to secure NPI (including sensitive business information) to encryption and away from methods such as access controls or data-sharding for data at rest. In sum, while these revisions afford Covered Entities greater flexibility than the Original Proposal regarding risk-based access controls when those controls are reviewed regularly by a firm's CISO, the Revised Proposal nonetheless reveals stated technology preferences.

CISO Requirements. The Revised Proposal includes certain clarifications with respect to the CISO required under the regulations. Specifically, a firm's CISO need not be hired or appointed to serve exclusively in that capacity. A Covered Entity may designate a qualified individual to perform the required functions of the CISO, and that individual's professional duties do not need to be limited to CISO functions. Moreover, the Revised Proposal clarifies that the use of the specific title of CISO is not required.

With respect to the reporting duties of the CISO, the Revised Proposal limits the scope of the reports required to be made to a Covered Entity's Board of Directors in terms of both frequency (from bi-annually to annually)1 and content (for example, by requiring the CISO to identify and report on material cyber risks to the Covered Entity, rather than all cyber risks).

Third Party Service Providers. The Revised Proposal contains a number of modifications affecting Third Party Service Providers and the obligations imposed upon such entities. These modifications include, among others:

  • Adding the defined term "Third Party Service Provider." The definition includes firms that provide services to Covered Entities or that maintain, process or are otherwise permitted access to the NPI of Covered Entities. Affiliates of Covered Entities are excluded from the definition.
  • Requiring internal guidelines for arrangements with Third Party Service Providers instead of prescriptive preferred contract provisions. The Revised Proposal specifies the topics to be addressed by contracts with Third Party Service Providers instead of dictating the provisions' content. For example, the Revised Proposal would not, as did the Original Proposal, require specific representations and warranties from Third Party Service Providers that any service or product that they provide to a Covered Entity "is free of viruses, trap doors, time bombs and other mechanisms" that would pose cyber risks to the Covered Entity. The DFS appears to have recognized that such a categorical representation as the Original Proposal required could almost never be made with certainty and thus would essentially be meaningless.
  • Clarifying that a Covered Entity's Third Party Service Provider security policies and procedures shall be based on and tailored according to the periodic risk assessments of the Covered Entity. This clarification addresses the concern that, for purposes of Covered Entities' responsibility to design and implement Third Party Service Provider security policies and procedures, the Original Proposal may have required an individual risk assessment of every Third Party Service Provider used by a Covered Entity. It is also consistent with the clarifications described above regarding the requirements for risk-based cybersecurity programs and access control policies and procedures.

Cybersecurity Event Reporting Obligations. Under both Proposals, a "cybersecurity event" means "any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an information system or information stored on such information system." However, the Revised Proposal includes certain concessions to Covered Entities regarding reporting obligations in connection with such events. The Original Proposal required Covered Entities to report to the DFS within 72 hours of "becoming aware" of a cybersecurity event that affects NPI or that has a reasonable likelihood of materially "affecting" Covered Entities' normal operations. By contrast, the Revised Proposal requires Covered Entities to notify the DFS within 72 hours of making a determination that a cybersecurity event of the following types has occurred: (i) a cybersecurity event that has a reasonable likelihood of materially "harming" the normal operations of the Covered Entity and (ii) a cybersecurity event that requires notice to be provided to any governmental or supervisory body or self-regulatory agency.

These modifications are likely to ease the burden on Covered Entities of reporting cybersecurity events without compromising the well-accepted goal of notifying affected individuals and government agencies about serious cybersecurity breaches. Financial services firms operating in New York are currently subject to extensive security breach notification requirements under New York's General Business Law and may be responsible for certain reporting requirements applicable under federal interagency guidelines. Accordingly, the changes incorporated into the Revised Proposal will not let serious cybersecurity incidents go unreported.2

Exemptions. The Revised Proposal broadens the exemptions from some of the cybersecurity requirements of the regulations for certain Covered Entities. The revised exemption applies to any Covered Entity with either (i) fewer than 10 employees (including independent contractors) or (ii) less than US$5 million in gross annual revenue in each of the last three years or US$10 million in year-end total assets. The Revised Proposal also adds an exemption, not included in the Original Proposal, for any Covered Entity that "does not directly or indirectly operate, maintain, utilize or control any information systems, and that does not, and is not required to, directly or indirectly control, own, access, generate, receive or possess NPI." 3

The Revised Proposal, however, would require any Covered Entity that qualifies for an applicable exemption to file a one-time Notice of Exemption.4

Transition Periods. The Revised Proposal includes staggered transition periods for compliance with various aspects of the regulations. Consistent with the Original Proposal, Covered Entities are granted 180 days from the effective date of any final regulations (which, as noted, is expected to be March 1, 2017) to come into full compliance. But the Revised Proposal also includes longer transition periods for select requirements. Covered Entities are given one year to comply with requirements relating to penetration testing and vulnerability assessments, periodic risk assessments, multi-factor authentication and certain training and monitoring provisions. Covered Entities are given 18 months to comply with requirements relating to an audit trail, application security, data retention, encryption and certain training and monitoring provisions and two years to comply with Third Party Service Provider requirements.

Considerations for Covered Entities

Although the Revised Proposal modifies the Original Proposal in ways that may reduce the burdens of complying with the regulations, certain provisions of the Original Proposal that have remained intact may cause confusion or subject firms to significant compliance costs. For example, the term "Covered Entity" was not amended substantively in the Revised Proposal (other than to exclude governmental entities) and the intended scope of the regulations was not otherwise addressed by the DFS. As noted in our analysis of the Original Proposal, although it is clear that banks, insurance companies and their holding companies would be Covered Entities, it is unclear to what extent firms with multi-state enterprise-wide operations, but with only limited ties to New York state, could be deemed to be Covered Entities. This question may arise for out-of-state banks with one or more branches (or limited-purpose offices such as trust offices) in New York state. The enterprise-wide activities of such banks could be made subject to the Revised Proposal, possibly through affiliated DFS-regulated insurance entities and other financial services firms, even if the activities that occur within the DFS's jurisdiction or involve the NPI of New York residents are minimal.

Notwithstanding the above, we note that with respect to national banks, the Revised Proposal may be preempted by federal law.5 Moreover, although federal law governing the subsidiaries, agents and affiliates of national banks located in New York would not preempt the Revised Proposal, the enforcement of the regulations by the DFS could be precluded by federal law, which vests with the Office of the Comptroller of the Currency exclusive visitorial authority regarding the content and conduct of activities authorized for national banks under federal law.6 Similarly, the Securities Exchange Act (Exchange Act) limits the application of state law establishing certain functional and reporting requirements upon broker-dealers that differ from or add to requirements established by the Exchange Act or regulations issued thereunder by the Securities and Exchange Commission (SEC).7

The Revised Proposal also does not modify the Original Proposal's annual certification-of-compliance requirement. Completion of an annual certification of compliance is likely to be costly for Covered Entities and will require senior officer(s) of such Entities to obtain actual, perhaps extensive knowledge of compliance systems and controls. Although the DFS appears to have received considerable commentary regarding the cost and limited utility of an annual certification of compliance, the DFS stated the following in connection with the release of the Revised Proposal: "The [DFS] has determined that the annual certification of compliance is an important part of the regulation and the [DFS's] oversight of the financial market. The [DFS] does not believe that the requirement creates unnecessary burdens; to the contrary, the [DFS] believes the process is essential to good corporate governance." The DFS's statement that an annual certification of compliance is "essential to good corporate governance" provides an indication that the Covered Entity's certifying senior officer(s) and/or directors may be personally liable for perceived compliance shortcomings.

In sum, the Revised Proposal allows for greater flexibility than the Original Proposal, which, at least in certain contexts, could reduce compliance obligations and related costs. Nevertheless, the implementation of compliance systems that conform to the DFS's cybersecurity regulations likely will be a challenging and costly exercise—and ongoing liability for firms and their individual officers and directors remains possible. Accordingly, the various strategic alternatives for managing institutional and personal regulatory risk discussed in our analysis of the Original Proposal—such as charter conversion (to a new home state or a national bank charter), relocation and reorganization—would remain relevant even if the DFS's cybersecurity regulations are adopted in their revised form.

As noted, the DFS is accepting comments on the Revised Proposal only until January 27, 2017. Any firms considering providing recommendations for additional modifications thus have a very short window of time in which to do so.

Footnotes

1. We note that the term "bi-annually" could be read to require a report by the CISO every two years, as opposed to twice per year, but in light of the totality of the changes made by the DFS in the Revised Proposal, and without clear guidance from the DFS on this subject, we presume that the change from "bi-annually" to "annually" is intended to lessen, not increase, the reporting obligations of CISOs.

2. The Revised Proposal also provides that any information provided to the DFS by a Covered Entity pursuant to the DFS's cybersecurity regulations is "subject to exemptions from disclosure" under the New York Banking, Insurance, Financial Services and Public Officers Laws "or any other applicable federal or state laws."

3. The first provision discussed above (in effect, a small institution exemption) exempts Covered Entities from compliance with the requirements of Sections 500.04, 500.05, 500.06, 500.08, 500.10, 500.12, 500.14, 500.15 and 500.16 of the regulations, while the second provision (applicable to entities that do not operate, maintain, utilize or control information systems and which do not own, access, generate receive or possess NPI) exempts Covered Entities from compliance with Sections 500.02, 500.03, 500.04, 500.05, 500.06, 500.07, 500.08, 500.10, 500.12, 500.14, 500.15 and 500.16.

4. Appendix B of the Revised Proposal provides a model Notice of Exemption form.

5. 12 U.S.C. § 25b.

6. Id. § 484; 12 C.F.R. § 7.400.

7. 15 U.S.C. § 78o(i). We note that the SEC has promulgated several regulations related to cybersecurity and the protection of information and trading systems, securities markets and customer information.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
 
In association with
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Check to state you have read and
agree to our Terms and Conditions

Terms & Conditions and Privacy Statement

Mondaq.com (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

Use of www.mondaq.com

You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about Mondaq.com’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.

Disclaimer

Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.

Registration

Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.

Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

If you do not want us to provide your name and email address you may opt out by clicking here .

If you do not wish to receive any future announcements of products and services offered by Mondaq by clicking here .

Information Collection and Use

We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to unsubscribe@mondaq.com with “no disclosure” in the subject heading

Mondaq News Alerts

In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.

Cookies

A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

Log Files

We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.

Links

This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

Surveys & Contests

From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.

Mail-A-Friend

If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.

Security

This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to webmaster@mondaq.com.

Correcting/Updating Personal Information

If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to EditorialAdvisor@mondaq.com.

Notification of Changes

If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

How to contact Mondaq

You can contact us with comments or queries at enquiries@mondaq.com.

If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at problems@mondaq.com and we will use commercially reasonable efforts to determine and correct the problem promptly.