United States: New York Department Of Financial Services Revises Proposed Cybersecurity Regulations

On December 28, 2016, the New York Department of Financial Services (the DFS) issued a revised version of proposed regulations (the Revised Proposal) regarding cybersecurity requirements that would apply to financial services firms that are licensed, or are otherwise granted operating privileges, by the DFS (Covered Entities). As described in our September 26, 2016 bulletin titled New Cybersecurity Rules May Apply Imminently to a Wide Range of Financial Services Firms in New York State, the DFS first proposed cybersecurity regulations on September 13, 2016 (the Original Proposal). The DFS is inviting comments on its Revised Proposal until January 27, 2017. The Revised Proposal is expected to become effective as of March 1, 2017, subject to the compliance transition periods discussed further below.

The changes reflected in the Revised Proposal resulted, in part, from the substantial public comments submitted in response to the Original Proposal. Although the Revised Proposal addresses several areas of concern or confusion for financial services firms, certain questions of scope and liability remain. Notwithstanding the intended effects of the revisions to accommodate suggestions from commenters, the Revised Proposal's requirements remain extensive and may impose significant compliance burdens on Covered Entities.

Notable Changes to the Original Proposal

Cybersecurity Risk Assessments and Program Requirements. One key emphasis in the Revised Proposal is on Covered Entities' risk assessments, which, as the Revised Proposal makes clear, are to be a central factor in the development of systems, policies and procedures for compliance with the cybersecurity regulations. This emphasis appears to reflect DFS's acknowledgment that the Original Proposal's prescribed "one-size-fits-all" requirements for cybersecurity programs were, arguably, at odds with the DFS's stated objective that such programs be risk-based. Although the development of a cybersecurity program based upon an individualized and somewhat fluid risk assessment may result in greater costs and require more effort, that approach will permit greater flexibility and more easily attainable objectives for Covered Entities when developing compliant cybersecurity programs. This will be particularly true for those smaller and less complex institutions that may not require the cybersecurity compliance infrastructure needed by most larger and more interconnected institutions. Notably, the Revised Proposal also relieves a Covered Entity from establishing a cybersecurity program that will "ensure" the confidentiality, integrity and availability of the Covered Entity's information systems (as was required under the Original Proposal); instead, Covered Entities' cybersecurity programs must be designed to "protect" those aspects of their information systems.

With respect to cybersecurity personnel and resources, whereas the Original Proposal required Covered Entities to "employ" qualified cybersecurity personnel to manage cybersecurity risks and perform the core functions of their cybersecurity programs, the Revised Proposal more broadly requires Covered Entities to "utilize qualified personnel of the Covered Entity, an Affiliate or a Third Party Service Provider" in carrying out cybersecurity program-related responsibilities and other applicable requirements. Although Covered Entities must field a minimum level of cybersecurity experience and expertise, this broader language in the Revised Proposal permits the contracting of external personnel rather than the full-time employment of in-house resources.

Nonpublic Information. "Nonpublic information" (NPI)—the security and integrity of which the cybersecurity regulations are designed to protect—is defined slightly differently under the Revised Proposal than in the Original Proposal. The revised definition of NPI continues to include the "business-related information of a Covered Entity the tampering with which, or unauthorized disclosure, access or use of which, would cause a material adverse impact to the business, operations or security of the Covered Entity." The Revised Proposal, however, narrows and consolidates the other categories of NPI.

Under the Original Proposal, NPI included the above-described business-related information, as well as any information (i) provided by an individual to a Covered Entity in connection with the seeking or obtaining of any financial product or service from the Covered Entity, (ii) about an individual resulting from a transaction involving a financial product or service between a Covered Entity and an individual, (iii) that a Covered Entity otherwise obtains about an individual in connection with providing a financial product or service to that individual, or (iv) that can be used to distinguish or trace an individual's identity. In general, industry commenters viewed this definition as overbroad. Perhaps in recognition of these concerns, the DFS in the Revised Proposal limits the scope of covered identifying information to information concerning an individual which because of name, number, personal mark, or other identifier can be used to identify such individual, in combination with any one or more of the following data elements: (i) social security number, (ii) drivers' license number or non-driver identification card number, (iii) account number, credit or debit card number, (iv) any security code, access code or password that would permit access to an individual's financial account, or (v) biometric records.

The Revised Proposal's definition of NPI relating to individuals, although still broad, is consistent in many ways with the definition of protected "private information" under New York's Information Security Breach and Notification statute, as well as the data security and breach notification laws of many other jurisdictions. The revised definition may therefore mitigate the need for Covered Entities to maintain a separate classification of protected information for purposes of compliance with the Revised Proposal. However, the inclusion of business-related information remains very broad, and might include information such as emails, strategy documents and sensitive operating procedures, all of which would be subject to the obligation to protect, as well as the Revised Proposal's requirements relating to encryption of data in transit and at rest.

Access Controls and Encryption. Under the Revised Proposal, Covered Entities' use of multi-factor authentication and encryption for the protection of information systems and NPI generally may be based on the risk assessments of those firms. Thus, a Covered Entity with a lower cybersecurity risk profile may elect to adopt certain risk-based authentication techniques that are less burdensome or costly than multi-factor authentication. However, multi-factor authentication (which is defined specifically, and does not include methods like device-based authentication) must still be used for any individual accessing the entity's internal networks from an external network "unless the Covered Entity's Chief Information Security Officer (CISO) has approved in writing the use of reasonably equivalent or more secure access controls." Firms may view reliance on a written determination by the CISO that an alternative method is "reasonably equivalent" or "more secure" as riskier than conforming to the general rule. The Revised Proposal therefore maintains a certain technology preference, arguably persuading Covered Entities to use the method specifically allowed by the regulations, and dampening the potential use of other (and perhaps more innovative) technologies or methods.

Similarly, while the Original Proposal mandated the encryption of NPI while at rest or during transmission across external networks, the Revised Proposal allows Covered Entities to implement reasonable controls for the protection of NPI held or transmitted on external networks. However, as with the above-described multi-factor authentication provision, "to the extent a Covered Entity determines that encryption of [NPI] [in transit over external networks or at rest] is infeasible, the Covered Entity may instead secure such [NPI] using effective alternative compensating controls reviewed and approved by the Covered Entity's CISO." The use of an alternative method therefore requires a finding that the use of encryption is "infeasible," and a written determination to use an alternative method—again tilting the technological choice to secure NPI (including sensitive business information) to encryption and away from methods such as access controls or data-sharding for data at rest. In sum, while these revisions afford Covered Entities greater flexibility than the Original Proposal regarding risk-based access controls when those controls are reviewed regularly by a firm's CISO, the Revised Proposal nonetheless reveals stated technology preferences.

CISO Requirements. The Revised Proposal includes certain clarifications with respect to the CISO required under the regulations. Specifically, a firm's CISO need not be hired or appointed to serve exclusively in that capacity. A Covered Entity may designate a qualified individual to perform the required functions of the CISO, and that individual's professional duties do not need to be limited to CISO functions. Moreover, the Revised Proposal clarifies that the use of the specific title of CISO is not required.

With respect to the reporting duties of the CISO, the Revised Proposal limits the scope of the reports required to be made to a Covered Entity's Board of Directors in terms of both frequency (from bi-annually to annually)1 and content (for example, by requiring the CISO to identify and report on material cyber risks to the Covered Entity, rather than all cyber risks).

Third Party Service Providers. The Revised Proposal contains a number of modifications affecting Third Party Service Providers and the obligations imposed upon such entities. These modifications include, among others:

  • Adding the defined term "Third Party Service Provider." The definition includes firms that provide services to Covered Entities or that maintain, process or are otherwise permitted access to the NPI of Covered Entities. Affiliates of Covered Entities are excluded from the definition.
  • Requiring internal guidelines for arrangements with Third Party Service Providers instead of prescriptive preferred contract provisions. The Revised Proposal specifies the topics to be addressed by contracts with Third Party Service Providers instead of dictating the provisions' content. For example, the Revised Proposal would not, as did the Original Proposal, require specific representations and warranties from Third Party Service Providers that any service or product that they provide to a Covered Entity "is free of viruses, trap doors, time bombs and other mechanisms" that would pose cyber risks to the Covered Entity. The DFS appears to have recognized that such a categorical representation as the Original Proposal required could almost never be made with certainty and thus would essentially be meaningless.
  • Clarifying that a Covered Entity's Third Party Service Provider security policies and procedures shall be based on and tailored according to the periodic risk assessments of the Covered Entity. This clarification addresses the concern that, for purposes of Covered Entities' responsibility to design and implement Third Party Service Provider security policies and procedures, the Original Proposal may have required an individual risk assessment of every Third Party Service Provider used by a Covered Entity. It is also consistent with the clarifications described above regarding the requirements for risk-based cybersecurity programs and access control policies and procedures.

Cybersecurity Event Reporting Obligations. Under both Proposals, a "cybersecurity event" means "any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an information system or information stored on such information system." However, the Revised Proposal includes certain concessions to Covered Entities regarding reporting obligations in connection with such events. The Original Proposal required Covered Entities to report to the DFS within 72 hours of "becoming aware" of a cybersecurity event that affects NPI or that has a reasonable likelihood of materially "affecting" Covered Entities' normal operations. By contrast, the Revised Proposal requires Covered Entities to notify the DFS within 72 hours of making a determination that a cybersecurity event of the following types has occurred: (i) a cybersecurity event that has a reasonable likelihood of materially "harming" the normal operations of the Covered Entity and (ii) a cybersecurity event that requires notice to be provided to any governmental or supervisory body or self-regulatory agency.

These modifications are likely to ease the burden on Covered Entities of reporting cybersecurity events without compromising the well-accepted goal of notifying affected individuals and government agencies about serious cybersecurity breaches. Financial services firms operating in New York are currently subject to extensive security breach notification requirements under New York's General Business Law and may be responsible for certain reporting requirements applicable under federal interagency guidelines. Accordingly, the changes incorporated into the Revised Proposal will not let serious cybersecurity incidents go unreported.2

Exemptions. The Revised Proposal broadens the exemptions from some of the cybersecurity requirements of the regulations for certain Covered Entities. The revised exemption applies to any Covered Entity with either (i) fewer than 10 employees (including independent contractors) or (ii) less than US$5 million in gross annual revenue in each of the last three years or US$10 million in year-end total assets. The Revised Proposal also adds an exemption, not included in the Original Proposal, for any Covered Entity that "does not directly or indirectly operate, maintain, utilize or control any information systems, and that does not, and is not required to, directly or indirectly control, own, access, generate, receive or possess NPI." 3

The Revised Proposal, however, would require any Covered Entity that qualifies for an applicable exemption to file a one-time Notice of Exemption.4

Transition Periods. The Revised Proposal includes staggered transition periods for compliance with various aspects of the regulations. Consistent with the Original Proposal, Covered Entities are granted 180 days from the effective date of any final regulations (which, as noted, is expected to be March 1, 2017) to come into full compliance. But the Revised Proposal also includes longer transition periods for select requirements. Covered Entities are given one year to comply with requirements relating to penetration testing and vulnerability assessments, periodic risk assessments, multi-factor authentication and certain training and monitoring provisions. Covered Entities are given 18 months to comply with requirements relating to an audit trail, application security, data retention, encryption and certain training and monitoring provisions and two years to comply with Third Party Service Provider requirements.

Considerations for Covered Entities

Although the Revised Proposal modifies the Original Proposal in ways that may reduce the burdens of complying with the regulations, certain provisions of the Original Proposal that have remained intact may cause confusion or subject firms to significant compliance costs. For example, the term "Covered Entity" was not amended substantively in the Revised Proposal (other than to exclude governmental entities) and the intended scope of the regulations was not otherwise addressed by the DFS. As noted in our analysis of the Original Proposal, although it is clear that banks, insurance companies and their holding companies would be Covered Entities, it is unclear to what extent firms with multi-state enterprise-wide operations, but with only limited ties to New York state, could be deemed to be Covered Entities. This question may arise for out-of-state banks with one or more branches (or limited-purpose offices such as trust offices) in New York state. The enterprise-wide activities of such banks could be made subject to the Revised Proposal, possibly through affiliated DFS-regulated insurance entities and other financial services firms, even if the activities that occur within the DFS's jurisdiction or involve the NPI of New York residents are minimal.

Notwithstanding the above, we note that with respect to national banks, the Revised Proposal may be preempted by federal law.5 Moreover, although federal law governing the subsidiaries, agents and affiliates of national banks located in New York would not preempt the Revised Proposal, the enforcement of the regulations by the DFS could be precluded by federal law, which vests with the Office of the Comptroller of the Currency exclusive visitorial authority regarding the content and conduct of activities authorized for national banks under federal law.6 Similarly, the Securities Exchange Act (Exchange Act) limits the application of state law establishing certain functional and reporting requirements upon broker-dealers that differ from or add to requirements established by the Exchange Act or regulations issued thereunder by the Securities and Exchange Commission (SEC).7

The Revised Proposal also does not modify the Original Proposal's annual certification-of-compliance requirement. Completion of an annual certification of compliance is likely to be costly for Covered Entities and will require senior officer(s) of such Entities to obtain actual, perhaps extensive knowledge of compliance systems and controls. Although the DFS appears to have received considerable commentary regarding the cost and limited utility of an annual certification of compliance, the DFS stated the following in connection with the release of the Revised Proposal: "The [DFS] has determined that the annual certification of compliance is an important part of the regulation and the [DFS's] oversight of the financial market. The [DFS] does not believe that the requirement creates unnecessary burdens; to the contrary, the [DFS] believes the process is essential to good corporate governance." The DFS's statement that an annual certification of compliance is "essential to good corporate governance" provides an indication that the Covered Entity's certifying senior officer(s) and/or directors may be personally liable for perceived compliance shortcomings.

In sum, the Revised Proposal allows for greater flexibility than the Original Proposal, which, at least in certain contexts, could reduce compliance obligations and related costs. Nevertheless, the implementation of compliance systems that conform to the DFS's cybersecurity regulations likely will be a challenging and costly exercise—and ongoing liability for firms and their individual officers and directors remains possible. Accordingly, the various strategic alternatives for managing institutional and personal regulatory risk discussed in our analysis of the Original Proposal—such as charter conversion (to a new home state or a national bank charter), relocation and reorganization—would remain relevant even if the DFS's cybersecurity regulations are adopted in their revised form.

As noted, the DFS is accepting comments on the Revised Proposal only until January 27, 2017. Any firms considering providing recommendations for additional modifications thus have a very short window of time in which to do so.

Footnotes

1. We note that the term "bi-annually" could be read to require a report by the CISO every two years, as opposed to twice per year, but in light of the totality of the changes made by the DFS in the Revised Proposal, and without clear guidance from the DFS on this subject, we presume that the change from "bi-annually" to "annually" is intended to lessen, not increase, the reporting obligations of CISOs.

2. The Revised Proposal also provides that any information provided to the DFS by a Covered Entity pursuant to the DFS's cybersecurity regulations is "subject to exemptions from disclosure" under the New York Banking, Insurance, Financial Services and Public Officers Laws "or any other applicable federal or state laws."

3. The first provision discussed above (in effect, a small institution exemption) exempts Covered Entities from compliance with the requirements of Sections 500.04, 500.05, 500.06, 500.08, 500.10, 500.12, 500.14, 500.15 and 500.16 of the regulations, while the second provision (applicable to entities that do not operate, maintain, utilize or control information systems and which do not own, access, generate receive or possess NPI) exempts Covered Entities from compliance with Sections 500.02, 500.03, 500.04, 500.05, 500.06, 500.07, 500.08, 500.10, 500.12, 500.14, 500.15 and 500.16.

4. Appendix B of the Revised Proposal provides a model Notice of Exemption form.

5. 12 U.S.C. § 25b.

6. Id. § 484; 12 C.F.R. § 7.400.

7. 15 U.S.C. § 78o(i). We note that the SEC has promulgated several regulations related to cybersecurity and the protection of information and trading systems, securities markets and customer information.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Similar Articles
Relevancy Powered by MondaqAI
Kramer Levin Naftalis & Frankel LLP
Akin Gump Strauss Hauer & Feld LLP
Akin Gump Strauss Hauer & Feld LLP
 
In association with
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Kramer Levin Naftalis & Frankel LLP
Akin Gump Strauss Hauer & Feld LLP
Akin Gump Strauss Hauer & Feld LLP
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions