United States: N.Y.'s New Cybersecurity Regulations: What Financial Services Companies Need To Know

With corporate data security breaches on the rise, the New York State Department of Financial Services (NYDFS) has adopted rules requiring financial institutions to take certain measures to safeguard their data and inform state regulators about cybersecurity incidents. Intended to thwart future cyberattacks and protect consumers, those "Cybersecurity Requirements for Financial Services Companies" (the "Cybersecurity Rule" or "Rule") finally took effect on March 1, 2017. The NYDFS has released guidance on how to follow the Rule, it comes in the form of frequently asked questions (FAQs) and a summary of key compliance dates. Although the guidance is apparently intended to assist covered financial institutions as the clock ticks towards the first of the Rule's phased compliance deadlines less than six months away, the guidance is unlikely to make the implementation challenges many financial institutions will face any less daunting.

The Cybersecurity Rule requires that covered financial institutions, among other things, adopt detailed programs, policies and procedures to protect Information Systems (which are defined to include essentially any computer or networked electronic system) and certain sensitive business and consumer information ("Nonpublic Information") from cybersecurity threats.

The Rule is narrower and less prescriptive than the original proposal from September 2016 (and largely the same as the second proposal from December 2016). Nonetheless, covered financial institutions now have less than six months to establish compliance with the first of the Cybersecurity Rule's requirements. This means covered financial institutions will quickly need to: (1) assess the current state of their information security programs and what modifications may be required based on the specific policies and controls required by the Rule; and (2) consider the new processes that may need to be created to meet the Rule's reporting, recordkeeping and certification requirements.

The following provides a summary of key obligations and issues under the Cybersecurity Rule. We also note, where applicable, how the new FAQs and other information from NYDFS may inform the requirements of the Rule, in particular with respect to certain ambiguities and potential implementation challenges that remained when the rule was finalized in mid-February.

OVERVIEW

The Cybersecurity Rule applies to "covered entities"—generally, entities subject to NYDFS authority under New York banking, insurance and financial services law, including, for example, commercial banks, foreign banks withNew York State-licensed offices, mortgage brokers and servicers, small-loan lenders and money transmitters doing business in New York.

As noted above, the Rule is focused on the protection of Information Systems and Nonpublic Information. In this regard, the requirements imposed by the Rule can be divided into three categories of requirements and controls: (1) administrative requirements, such as written policies and procedures; (2) technical controls, such as encryption and multifactor authentication; and (3) notice, recordkeeping and reporting requirements. We address highlights of each below.

ADMINISTRATIVE REQUIREMENTS

Cybersecurity Program. The Cybersecurity Rule requires each covered financial institution to maintain a "cybersecurity program" designed to protect the confidentiality, integrity and availability of its Information Systems. This "core" requirement of the Rule is generally consistent with other standards (e.g., the Gramm-Leach-Bliley Act) and best practices, in that it requires that the cybersecurity program be designed to perform the core cybersecurity functions of identifying and assessing threats and risks, protecting Information Systems and Nonpublic Information from malicious use and unauthorized access and detecting, responding to and recovering from "Cybersecurity Events," which the rule defines as "any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an Information System or information stored on such Information System." In a slight twist, the program must also be designed to fulfill applicable reporting obligations imposed by the Rule.

Of note, NYDFS confirmed in the FAQs that a covered financial institution may adopt the cybersecurity program of an affiliate "in whole or in part," but the covered financial institution's overall cybersecurity program must meet the requirements of the Cybersecurity Rule. In this regard, the covered financial institution itself (not the affiliate) must certify to compliance with the Rule. Nonetheless, NYDFS also notes that where a covered financial institution adopts an affiliate's program, the affiliate's program must be available to NYDFS for examination. This fact may complicate business decisions for some covered financial institutions, particularly where the affiliate is not already subject to NYDFS jurisdiction.

Written Cybersecurity Policy. As part of its cybersecurity program, a covered financial institution must have written cybersecurity policies, approved by a senior officer or its board of directors, that address a wide variety of security concepts, including data classification, asset inventory and device management, access controls and identity management, business continuity, network security, physical security, third-party service provider requirements and incident response procedures. As a result, a critical first step for covered financial institutions is to map their existing written information security policies to the Cybersecurity Rule to determine what if any additional policies and procedures may be necessary.

Risk Assessment. A covered financial institution is also required to conduct periodic risk assessments that must inform the design of its cybersecurity program. In this regard, a covered financial institution must have a written policy and procedure for conducting risk assessments that must include, among other things, establishing criteria for evaluating and categorizing identified cybersecurity risks or threats and assessing the adequacy of existing controls in light of these identified risks.

As discussed further below, the Rule provides covered financial institutions with one year to come into compliance with the risk assessment requirements (i.e., by March 1, 2018), which is six months after the required cybersecurity program and written policies must be in place. The FAQs, however, affirm that covered financial institutions "are generally not required to comply with, or incorporate into their cybersecurity programs, provisions of the regulation for which the applicable transitional period has not yet ended." With regard to the risk assessment specifically, NYDFS indicated that it "recognizes that in some cases there may be updates and revisions" to the program and policies incorporating the results of a future risk assessment.

Additional Policies and Procedures. The Cybersecurity Rule identifies a wide range of specific policies and procedures that a covered financial institution must have in place. These include:

  • Written procedures, guidelines and standards related to application security to ensure the use of secure development practices for internally developed applications and to evaluate, assess and test the security of third-party applications;
  • Risk-based policies, procedures and controls to monitor user activity and detect unauthorized access to, or use of, Nonpublic Information by such users;
  • Policies and procedures for the secure disposal of Nonpublic Information, consistent with retention requirements under existing laws and regulations; and
  • Written policies and procedures relating to third-party service providers that address, for example, risk assessments of, and minimum cybersecurity standards for, these third parties.

Covered financial institutions must also have policies and procedures that address "due diligence and/or contractual protections" relating to service providers, including a service provider's use of multifactor authentication, and encryption and notice to the financial institution in the event of certain Cybersecurity Events. In the FAQs, NYDFS affirms that not all service providers are required to implement multifactor authentication and encryption when dealing with a covered financial institution. Instead, NYDFS notes that there is no "one-size-fits-all solution" created by the Cybersecurity Rule, and each covered financial institution must make a risk assessment regarding the appropriate controls "based on the individual facts and circumstances presented."

Incident Response Plan. A covered financial institution must also have a written incident response plan for material Cybersecurity Events. The plan must address a number of aspects of incident response, including, for example, roles, responsibilities and decision-making authority and processes for documenting and reporting Cybersecurity Events.

Chief Information Security Officer/Responsible Individual. The Cybersecurity Rule requires that a covered financial institution have a qualified individual (defined in the Rule as the "CISO") responsible for overseeing and implementing its cybersecurity program and enforcing its cybersecurity policy. (The Rule does not require that an individual actually hold the title CISO, but rather that an identified individual be designated responsible for the program.) The FAQs clarify that the CISO can be an employee of an affiliate, but the covered financial institution remains responsible for all requirements of the Rule, including ensuring that the CISO performs her obligations under the Rule. For example, the CISO must report at least annually to the board of directors on the cybersecurity program.

The covered financial institution must also have sufficient cybersecurity personnel in place to oversee the core functions of the cybersecurity program (i.e., identify risks, and prevent, detect, respond and recover from cybersecurity threats, as applicable). The covered financial institution must provide these personnel with appropriate training and verify that they take steps to maintain current knowledge of changing cybersecurity threats and countermeasures. More broadly, the covered financial institution must provide all personnel with regular cybersecurity awareness training.

TECHNICAL CONTROLS

While the Cybersecurity Rule is clearly focused on administrative controls and processes and there are far fewer technical controls mandated by the Rule, the Rule's technical controls may in practice be far more prescriptive. As we noted previously, NYDFS did not provide additional clarity regarding the nature and scope of certain of these requirements, such as the encryption and multifactor authentication requirements, in the final revisions to the Cybersecurity Rule. NYDFS has provided no further guidance in the FAQs either.

Penetration Testing and Vulnerability Assessments. A covered financial institution's cybersecurity program must include monitoring and testing to assess the effectiveness of the program. This monitoring and testing can be either: (1) continuous monitoring, or using other systems to detect, on an ongoing basis, changes in Information Systems that may create or indicate vulnerabilities; or (2) annual penetration testing, based on relevant identified risks in accordance with the risk assessment, and bi-annual vulnerability assessments.

In the FAQs, NYDFS elaborates that "continuous monitoring" entails "the ability to continuously, on an ongoing basis, detect changes or activities . . . that may create or indicate the existence of cybersecurity vulnerabilities or malicious activity." The FAQs also illustrate these requirements by contrast. For example, the FAQs indicate that manual review of logs and firewall configurations would not be considered "effective continuous monitoring." Nonetheless, it appears that that NYDFS believes that "continuous system monitoring" is an appropriate alternative to periodic penetration testing and vulnerability assessments.

Multi-factor Authentication. The Cybersecurity Rule appears to push beyond some industry standard expectations for the use of multifactor authentication, although the actual requirements are to be ostensibly based on a covered institution's risk assessment. Specifically, a covered financial institution is required to use "effective" controls, which may include multifactor authentication or risk-based authentication, to protect against unauthorized access to Nonpublic Information or Information Systems. Nonetheless, multifactor authentication is specifically required for access to the covered financial institution's internal networks from external networks, unless the CISO "has approved in writing the use of reasonably equivalent or more secure access controls."

This provision was not clarified in the final rule, and there is no discussion of it in the FAQs. As a result, it remains unclear if NYDFS expects the requirement for multifactor authentication to apply to employee remote access, customer access to online accounts or both.

Encryption of Nonpublic Information. One of the most significant requirements of the Cybersecurity Rule is the requirement that covered entities must implement controls, including encryption, to protect Nonpublic Information held or transmitted by the covered financial institution both in transit over external networks and at rest. Under the Rule, if a covered financial institution determines that encryption is infeasible, the covered financial institution is permitted to secure such information using compensating controls reviewed and approved by the CISO. As we noted previously, the Rule is not clear as to whether encryption is a mandate and whether compensating controls can only be adopted as an alternative when encryption is "infeasible."

The FAQs offer no further insight on this point, although NYDFS did state in its State Register notice accompanying the final rule that it did not further modify the encryption requirement because it believes in "the importance of encryption as a key cybersecurity control." NYDFS also noted, however, that it believes the final rule also provides "flexibility for Covered Entities to evaluate, in light of their Risk Assessment, the scope and means of feasibly implementing encryption controls." Notably, NYDFS also stated that it considers leased lines (i.e., dedicated connections between a covered financial institution and some other party) to constitute "external networks" for purposes of this requirement.

Audit Trails. A covered financial institution is also required to securely maintain systems, based on its risk assessment, in order to reconstruct material financial transactions sufficient to support normal operations and obligations (and maintain such records for five years). Covered entities are also required to maintain "audit trails" to detect and respond to Cybersecurity Events that have a reasonable likelihood of materially harming any material part of the normal operations of the covered financial institution (and maintain such records for three years).

Access Privileges. A covered financial institution must limit user access privileges to systems that provide access to Nonpublic Information and periodically review those access privileges.

NOTIFICATIONS AND REPORTING

Covered financial institutions have significant reporting obligations under the Rule, including: (1) an annual report by a covered financial institution's CISO to its board of directors or equivalent governing body on the financial institution's cybersecurity program and "material" cybersecurity risks (with such report, along with other documents relating to the cybersecurity program, being made available to NYDFS upon request); and (2) notices to NYDFS no later than 72 hours "from a determination" that a Cybersecurity Event has occurred that either: (A) impacts the covered financial institution and requires notice to a "government body, self-regulatory agency or any other supervisory body"; or (B) has a "reasonable likelihood of materially harming any material part of the normal operation(s)" of the financial institution.

The FAQs largely repeat these requirements without any commentary, although NYDFS notes that "even if [an] attack is not successful," it may constitute a reportable event. This statement appears to significantly broaden the scope of the notification requirement, as NYDFS apparently believes that unsuccessful attacks could have a reasonable likelihood of materially harming a covered financial institution. As a result, covered financial institutions will have to determine what types of events will require notice to NYDFS and incorporate these considerations into their incident response plans.

NYDFS also notes in the FAQs that it will "at a later date" provide a secure reporting tool for notices of Cybersecurity Events required to be provided to NYDFS, but that for now covered entities are required to send such notices to the supervisory staff to which the covered financial institution typically reports.

Certification and Documentation of Remedial Efforts. The requirement for annual certifications of compliance is likely to cause significant challenges for many covered financial institutions. Specifically, each covered financial institution must certify its compliance with the Cybersecurity Rule (as opposed to, for example, certifying that the covered financial institution has implemented policies and procedures designed to meet the requirements of the Rule). Covered financial institution are also required to maintain "all records, schedules and data supporting" the certification for up to five years. Perhaps further complicating this certification requirement, the Cybersecurity Rule requires that covered financial institutions document remedial efforts to address "areas, systems or processes that require material improvement."

In the FAQs, NYDFS states that it "expects full compliance" with the Rule while also stating that a covered financial institution "may not submit a certification . . . unless [it] is in compliance with all applicable requirements" of the Cybersecurity Rule at the time of certification (emphasis added). By requiring covered financial institutions to both certify their full compliance and document areas requiring improvement, NYDFS risks giving covered entities a Hobson's choice: either document for inspection by NYDFS what could be deemed indicia of noncompliance or forego efforts to continually improve and update the enterprise's information security program.

OTHER CONSIDERATIONS AND TIMING

As noted, the Cybersecurity Rule takes effect in phases, with the first set of requirements coming into force on August 28, 2017 and then additional requirements one year, 18 months, and two years following the March 1, 2017 effective date. NYDFS summarizes these transition periods here. The FAQs helpfully confirm that at the first annual certification (due February 15, 2018), a covered financial institution is only required to certify to the requirements for which the transitional period has terminated prior to that date. Here is a more detailed summary of the phased compliance periods.

Key Compliance Dates

By August 28, 2017, covered financial institutions must be in compliance with the following:

  • The requirement to have a cybersecurity program and cybersecurity policies and procedures;
  • The designation of a CISO;
  • The access privileges requirement;
  • The requirements relating to cybersecurity personnel and cybersecurity intelligence;
  • The requirement for an incident response plan; and
  • The requirement to provide notice of certain cybersecurity events to NYDFS and to document remedial efforts. The first certification to compliance with the Rule is required by February 15, 2018.

By March 1, 2018, covered financial institutions must be in compliance with the following:

  • The requirement that the CISO report to the board of directors on the cybersecurity program;
  • The penetration testing and vulnerability assessment requirements;
  • The risk assessment requirement (i.e., the covered financial institution must have completed its first risk assessment under the Cybersecurity Rule);
  • The multifactor authentication requirements; and
  • The cybersecurity awareness training requirement.

By September 3, 2018, covered financial institutions must be in compliance with the following:

  • The audit trail requirements;
  • The application security requirements;
  • The data retention requirements;
  • The monitoring requirements; and
  • The encryption requirements.

Finally, by March 1, 2019, covered financial institutions must be in compliance with the third-party service provider provisions.

Now that NYDFS has provided guidance in the form of the FAQs, covered financial institutions should not expect much additional clarification from NYDFS in the short term on its precise expectations under the Cybersecurity Rule. As we have noted before, implementation is likely to continue to be challenging, including because this is a "first-in-the-nation cybersecurity regulation" issued by a state financial regulator.

Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Morrison & Foerster LLP. All rights reserved

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
Similar Articles
Relevancy Powered by MondaqAI
 
In association with
Related Topics
 
Similar Articles
Relevancy Powered by MondaqAI
Related Articles
 
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions

Mondaq.com (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of www.mondaq.com

To Use Mondaq.com you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.

Disclaimer

The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.

General

Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions