United States: N.Y.'s New Cybersecurity Regulations: What Financial Services Companies Need To Know

With corporate data security breaches on the rise, the New York State Department of Financial Services (NYDFS) has adopted rules requiring financial institutions to take certain measures to safeguard their data and inform state regulators about cybersecurity incidents. Intended to thwart future cyberattacks and protect consumers, those "Cybersecurity Requirements for Financial Services Companies" (the "Cybersecurity Rule" or "Rule") finally took effect on March 1, 2017. The NYDFS has released guidance on how to follow the Rule, it comes in the form of frequently asked questions (FAQs) and a summary of key compliance dates. Although the guidance is apparently intended to assist covered financial institutions as the clock ticks towards the first of the Rule's phased compliance deadlines less than six months away, the guidance is unlikely to make the implementation challenges many financial institutions will face any less daunting.

The Cybersecurity Rule requires that covered financial institutions, among other things, adopt detailed programs, policies and procedures to protect Information Systems (which are defined to include essentially any computer or networked electronic system) and certain sensitive business and consumer information ("Nonpublic Information") from cybersecurity threats.

The Rule is narrower and less prescriptive than the original proposal from September 2016 (and largely the same as the second proposal from December 2016). Nonetheless, covered financial institutions now have less than six months to establish compliance with the first of the Cybersecurity Rule's requirements. This means covered financial institutions will quickly need to: (1) assess the current state of their information security programs and what modifications may be required based on the specific policies and controls required by the Rule; and (2) consider the new processes that may need to be created to meet the Rule's reporting, recordkeeping and certification requirements.

The following provides a summary of key obligations and issues under the Cybersecurity Rule. We also note, where applicable, how the new FAQs and other information from NYDFS may inform the requirements of the Rule, in particular with respect to certain ambiguities and potential implementation challenges that remained when the rule was finalized in mid-February.

OVERVIEW

The Cybersecurity Rule applies to "covered entities"—generally, entities subject to NYDFS authority under New York banking, insurance and financial services law, including, for example, commercial banks, foreign banks withNew York State-licensed offices, mortgage brokers and servicers, small-loan lenders and money transmitters doing business in New York.

As noted above, the Rule is focused on the protection of Information Systems and Nonpublic Information. In this regard, the requirements imposed by the Rule can be divided into three categories of requirements and controls: (1) administrative requirements, such as written policies and procedures; (2) technical controls, such as encryption and multifactor authentication; and (3) notice, recordkeeping and reporting requirements. We address highlights of each below.

ADMINISTRATIVE REQUIREMENTS

Cybersecurity Program. The Cybersecurity Rule requires each covered financial institution to maintain a "cybersecurity program" designed to protect the confidentiality, integrity and availability of its Information Systems. This "core" requirement of the Rule is generally consistent with other standards (e.g., the Gramm-Leach-Bliley Act) and best practices, in that it requires that the cybersecurity program be designed to perform the core cybersecurity functions of identifying and assessing threats and risks, protecting Information Systems and Nonpublic Information from malicious use and unauthorized access and detecting, responding to and recovering from "Cybersecurity Events," which the rule defines as "any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an Information System or information stored on such Information System." In a slight twist, the program must also be designed to fulfill applicable reporting obligations imposed by the Rule.

Of note, NYDFS confirmed in the FAQs that a covered financial institution may adopt the cybersecurity program of an affiliate "in whole or in part," but the covered financial institution's overall cybersecurity program must meet the requirements of the Cybersecurity Rule. In this regard, the covered financial institution itself (not the affiliate) must certify to compliance with the Rule. Nonetheless, NYDFS also notes that where a covered financial institution adopts an affiliate's program, the affiliate's program must be available to NYDFS for examination. This fact may complicate business decisions for some covered financial institutions, particularly where the affiliate is not already subject to NYDFS jurisdiction.

Written Cybersecurity Policy. As part of its cybersecurity program, a covered financial institution must have written cybersecurity policies, approved by a senior officer or its board of directors, that address a wide variety of security concepts, including data classification, asset inventory and device management, access controls and identity management, business continuity, network security, physical security, third-party service provider requirements and incident response procedures. As a result, a critical first step for covered financial institutions is to map their existing written information security policies to the Cybersecurity Rule to determine what if any additional policies and procedures may be necessary.

Risk Assessment. A covered financial institution is also required to conduct periodic risk assessments that must inform the design of its cybersecurity program. In this regard, a covered financial institution must have a written policy and procedure for conducting risk assessments that must include, among other things, establishing criteria for evaluating and categorizing identified cybersecurity risks or threats and assessing the adequacy of existing controls in light of these identified risks.

As discussed further below, the Rule provides covered financial institutions with one year to come into compliance with the risk assessment requirements (i.e., by March 1, 2018), which is six months after the required cybersecurity program and written policies must be in place. The FAQs, however, affirm that covered financial institutions "are generally not required to comply with, or incorporate into their cybersecurity programs, provisions of the regulation for which the applicable transitional period has not yet ended." With regard to the risk assessment specifically, NYDFS indicated that it "recognizes that in some cases there may be updates and revisions" to the program and policies incorporating the results of a future risk assessment.

Additional Policies and Procedures. The Cybersecurity Rule identifies a wide range of specific policies and procedures that a covered financial institution must have in place. These include:

  • Written procedures, guidelines and standards related to application security to ensure the use of secure development practices for internally developed applications and to evaluate, assess and test the security of third-party applications;
  • Risk-based policies, procedures and controls to monitor user activity and detect unauthorized access to, or use of, Nonpublic Information by such users;
  • Policies and procedures for the secure disposal of Nonpublic Information, consistent with retention requirements under existing laws and regulations; and
  • Written policies and procedures relating to third-party service providers that address, for example, risk assessments of, and minimum cybersecurity standards for, these third parties.

Covered financial institutions must also have policies and procedures that address "due diligence and/or contractual protections" relating to service providers, including a service provider's use of multifactor authentication, and encryption and notice to the financial institution in the event of certain Cybersecurity Events. In the FAQs, NYDFS affirms that not all service providers are required to implement multifactor authentication and encryption when dealing with a covered financial institution. Instead, NYDFS notes that there is no "one-size-fits-all solution" created by the Cybersecurity Rule, and each covered financial institution must make a risk assessment regarding the appropriate controls "based on the individual facts and circumstances presented."

Incident Response Plan. A covered financial institution must also have a written incident response plan for material Cybersecurity Events. The plan must address a number of aspects of incident response, including, for example, roles, responsibilities and decision-making authority and processes for documenting and reporting Cybersecurity Events.

Chief Information Security Officer/Responsible Individual. The Cybersecurity Rule requires that a covered financial institution have a qualified individual (defined in the Rule as the "CISO") responsible for overseeing and implementing its cybersecurity program and enforcing its cybersecurity policy. (The Rule does not require that an individual actually hold the title CISO, but rather that an identified individual be designated responsible for the program.) The FAQs clarify that the CISO can be an employee of an affiliate, but the covered financial institution remains responsible for all requirements of the Rule, including ensuring that the CISO performs her obligations under the Rule. For example, the CISO must report at least annually to the board of directors on the cybersecurity program.

The covered financial institution must also have sufficient cybersecurity personnel in place to oversee the core functions of the cybersecurity program (i.e., identify risks, and prevent, detect, respond and recover from cybersecurity threats, as applicable). The covered financial institution must provide these personnel with appropriate training and verify that they take steps to maintain current knowledge of changing cybersecurity threats and countermeasures. More broadly, the covered financial institution must provide all personnel with regular cybersecurity awareness training.

TECHNICAL CONTROLS

While the Cybersecurity Rule is clearly focused on administrative controls and processes and there are far fewer technical controls mandated by the Rule, the Rule's technical controls may in practice be far more prescriptive. As we noted previously, NYDFS did not provide additional clarity regarding the nature and scope of certain of these requirements, such as the encryption and multifactor authentication requirements, in the final revisions to the Cybersecurity Rule. NYDFS has provided no further guidance in the FAQs either.

Penetration Testing and Vulnerability Assessments. A covered financial institution's cybersecurity program must include monitoring and testing to assess the effectiveness of the program. This monitoring and testing can be either: (1) continuous monitoring, or using other systems to detect, on an ongoing basis, changes in Information Systems that may create or indicate vulnerabilities; or (2) annual penetration testing, based on relevant identified risks in accordance with the risk assessment, and bi-annual vulnerability assessments.

In the FAQs, NYDFS elaborates that "continuous monitoring" entails "the ability to continuously, on an ongoing basis, detect changes or activities . . . that may create or indicate the existence of cybersecurity vulnerabilities or malicious activity." The FAQs also illustrate these requirements by contrast. For example, the FAQs indicate that manual review of logs and firewall configurations would not be considered "effective continuous monitoring." Nonetheless, it appears that that NYDFS believes that "continuous system monitoring" is an appropriate alternative to periodic penetration testing and vulnerability assessments.

Multi-factor Authentication. The Cybersecurity Rule appears to push beyond some industry standard expectations for the use of multifactor authentication, although the actual requirements are to be ostensibly based on a covered institution's risk assessment. Specifically, a covered financial institution is required to use "effective" controls, which may include multifactor authentication or risk-based authentication, to protect against unauthorized access to Nonpublic Information or Information Systems. Nonetheless, multifactor authentication is specifically required for access to the covered financial institution's internal networks from external networks, unless the CISO "has approved in writing the use of reasonably equivalent or more secure access controls."

This provision was not clarified in the final rule, and there is no discussion of it in the FAQs. As a result, it remains unclear if NYDFS expects the requirement for multifactor authentication to apply to employee remote access, customer access to online accounts or both.

Encryption of Nonpublic Information. One of the most significant requirements of the Cybersecurity Rule is the requirement that covered entities must implement controls, including encryption, to protect Nonpublic Information held or transmitted by the covered financial institution both in transit over external networks and at rest. Under the Rule, if a covered financial institution determines that encryption is infeasible, the covered financial institution is permitted to secure such information using compensating controls reviewed and approved by the CISO. As we noted previously, the Rule is not clear as to whether encryption is a mandate and whether compensating controls can only be adopted as an alternative when encryption is "infeasible."

The FAQs offer no further insight on this point, although NYDFS did state in its State Register notice accompanying the final rule that it did not further modify the encryption requirement because it believes in "the importance of encryption as a key cybersecurity control." NYDFS also noted, however, that it believes the final rule also provides "flexibility for Covered Entities to evaluate, in light of their Risk Assessment, the scope and means of feasibly implementing encryption controls." Notably, NYDFS also stated that it considers leased lines (i.e., dedicated connections between a covered financial institution and some other party) to constitute "external networks" for purposes of this requirement.

Audit Trails. A covered financial institution is also required to securely maintain systems, based on its risk assessment, in order to reconstruct material financial transactions sufficient to support normal operations and obligations (and maintain such records for five years). Covered entities are also required to maintain "audit trails" to detect and respond to Cybersecurity Events that have a reasonable likelihood of materially harming any material part of the normal operations of the covered financial institution (and maintain such records for three years).

Access Privileges. A covered financial institution must limit user access privileges to systems that provide access to Nonpublic Information and periodically review those access privileges.

NOTIFICATIONS AND REPORTING

Covered financial institutions have significant reporting obligations under the Rule, including: (1) an annual report by a covered financial institution's CISO to its board of directors or equivalent governing body on the financial institution's cybersecurity program and "material" cybersecurity risks (with such report, along with other documents relating to the cybersecurity program, being made available to NYDFS upon request); and (2) notices to NYDFS no later than 72 hours "from a determination" that a Cybersecurity Event has occurred that either: (A) impacts the covered financial institution and requires notice to a "government body, self-regulatory agency or any other supervisory body"; or (B) has a "reasonable likelihood of materially harming any material part of the normal operation(s)" of the financial institution.

The FAQs largely repeat these requirements without any commentary, although NYDFS notes that "even if [an] attack is not successful," it may constitute a reportable event. This statement appears to significantly broaden the scope of the notification requirement, as NYDFS apparently believes that unsuccessful attacks could have a reasonable likelihood of materially harming a covered financial institution. As a result, covered financial institutions will have to determine what types of events will require notice to NYDFS and incorporate these considerations into their incident response plans.

NYDFS also notes in the FAQs that it will "at a later date" provide a secure reporting tool for notices of Cybersecurity Events required to be provided to NYDFS, but that for now covered entities are required to send such notices to the supervisory staff to which the covered financial institution typically reports.

Certification and Documentation of Remedial Efforts. The requirement for annual certifications of compliance is likely to cause significant challenges for many covered financial institutions. Specifically, each covered financial institution must certify its compliance with the Cybersecurity Rule (as opposed to, for example, certifying that the covered financial institution has implemented policies and procedures designed to meet the requirements of the Rule). Covered financial institution are also required to maintain "all records, schedules and data supporting" the certification for up to five years. Perhaps further complicating this certification requirement, the Cybersecurity Rule requires that covered financial institutions document remedial efforts to address "areas, systems or processes that require material improvement."

In the FAQs, NYDFS states that it "expects full compliance" with the Rule while also stating that a covered financial institution "may not submit a certification . . . unless [it] is in compliance with all applicable requirements" of the Cybersecurity Rule at the time of certification (emphasis added). By requiring covered financial institutions to both certify their full compliance and document areas requiring improvement, NYDFS risks giving covered entities a Hobson's choice: either document for inspection by NYDFS what could be deemed indicia of noncompliance or forego efforts to continually improve and update the enterprise's information security program.

OTHER CONSIDERATIONS AND TIMING

As noted, the Cybersecurity Rule takes effect in phases, with the first set of requirements coming into force on August 28, 2017 and then additional requirements one year, 18 months, and two years following the March 1, 2017 effective date. NYDFS summarizes these transition periods here. The FAQs helpfully confirm that at the first annual certification (due February 15, 2018), a covered financial institution is only required to certify to the requirements for which the transitional period has terminated prior to that date. Here is a more detailed summary of the phased compliance periods.

Key Compliance Dates

By August 28, 2017, covered financial institutions must be in compliance with the following:

  • The requirement to have a cybersecurity program and cybersecurity policies and procedures;
  • The designation of a CISO;
  • The access privileges requirement;
  • The requirements relating to cybersecurity personnel and cybersecurity intelligence;
  • The requirement for an incident response plan; and
  • The requirement to provide notice of certain cybersecurity events to NYDFS and to document remedial efforts. The first certification to compliance with the Rule is required by February 15, 2018.

By March 1, 2018, covered financial institutions must be in compliance with the following:

  • The requirement that the CISO report to the board of directors on the cybersecurity program;
  • The penetration testing and vulnerability assessment requirements;
  • The risk assessment requirement (i.e., the covered financial institution must have completed its first risk assessment under the Cybersecurity Rule);
  • The multifactor authentication requirements; and
  • The cybersecurity awareness training requirement.

By September 3, 2018, covered financial institutions must be in compliance with the following:

  • The audit trail requirements;
  • The application security requirements;
  • The data retention requirements;
  • The monitoring requirements; and
  • The encryption requirements.

Finally, by March 1, 2019, covered financial institutions must be in compliance with the third-party service provider provisions.

Now that NYDFS has provided guidance in the form of the FAQs, covered financial institutions should not expect much additional clarification from NYDFS in the short term on its precise expectations under the Cybersecurity Rule. As we have noted before, implementation is likely to continue to be challenging, including because this is a "first-in-the-nation cybersecurity regulation" issued by a state financial regulator.

Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Morrison & Foerster LLP. All rights reserved

To print this article, all you need is to be registered on Mondaq.com.

Click to Login as an existing user or Register so you can print this article.

Authors
 
In association with
Related Video
Up-coming Events Search
Tools
Print
Font Size:
Translation
Channels
Mondaq on Twitter
 
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
 
Email Address
Company Name
Password
Confirm Password
Position
Mondaq Topics -- Select your Interests
 Accounting
 Anti-trust
 Commercial
 Compliance
 Consumer
 Criminal
 Employment
 Energy
 Environment
 Family
 Finance
 Government
 Healthcare
 Immigration
 Insolvency
 Insurance
 International
 IP
 Law Performance
 Law Practice
 Litigation
 Media & IT
 Privacy
 Real Estate
 Strategy
 Tax
 Technology
 Transport
 Wealth Mgt
Regions
Africa
Asia
Asia Pacific
Australasia
Canada
Caribbean
Europe
European Union
Latin America
Middle East
U.K.
United States
Worldwide Updates
Check to state you have read and
agree to our Terms and Conditions

Terms & Conditions and Privacy Statement

Mondaq.com (the Website) is owned and managed by Mondaq Ltd and as a user you are granted a non-exclusive, revocable license to access the Website under its terms and conditions of use. Your use of the Website constitutes your agreement to the following terms and conditions of use. Mondaq Ltd may terminate your use of the Website if you are in breach of these terms and conditions or if Mondaq Ltd decides to terminate your license of use for whatever reason.

Use of www.mondaq.com

You may use the Website but are required to register as a user if you wish to read the full text of the content and articles available (the Content). You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these terms & conditions or with the prior written consent of Mondaq Ltd. You may not use electronic or other means to extract details or information about Mondaq.com’s content, users or contributors in order to offer them any services or products which compete directly or indirectly with Mondaq Ltd’s services and products.

Disclaimer

Mondaq Ltd and/or its respective suppliers make no representations about the suitability of the information contained in the documents and related graphics published on this server for any purpose. All such documents and related graphics are provided "as is" without warranty of any kind. Mondaq Ltd and/or its respective suppliers hereby disclaim all warranties and conditions with regard to this information, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. In no event shall Mondaq Ltd and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use or performance of information available from this server.

The documents and related graphics published on this server could include technical inaccuracies or typographical errors. Changes are periodically added to the information herein. Mondaq Ltd and/or its respective suppliers may make improvements and/or changes in the product(s) and/or the program(s) described herein at any time.

Registration

Mondaq Ltd requires you to register and provide information that personally identifies you, including what sort of information you are interested in, for three primary purposes:

  • To allow you to personalize the Mondaq websites you are visiting.
  • To enable features such as password reminder, newsletter alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our information providers who provide information free for your use.

Mondaq (and its affiliate sites) do not sell or provide your details to third parties other than information providers. The reason we provide our information providers with this information is so that they can measure the response their articles are receiving and provide you with information about their products and services.

If you do not want us to provide your name and email address you may opt out by clicking here .

If you do not wish to receive any future announcements of products and services offered by Mondaq by clicking here .

Information Collection and Use

We require site users to register with Mondaq (and its affiliate sites) to view the free information on the site. We also collect information from our users at several different points on the websites: this is so that we can customise the sites according to individual usage, provide 'session-aware' functionality, and ensure that content is acquired and developed appropriately. This gives us an overall picture of our user profiles, which in turn shows to our Editorial Contributors the type of person they are reaching by posting articles on Mondaq (and its affiliate sites) – meaning more free content for registered users.

We are only able to provide the material on the Mondaq (and its affiliate sites) site free to site visitors because we can pass on information about the pages that users are viewing and the personal information users provide to us (e.g. email addresses) to reputable contributing firms such as law firms who author those pages. We do not sell or rent information to anyone else other than the authors of those pages, who may change from time to time. Should you wish us not to disclose your details to any of these parties, please tick the box above or tick the box marked "Opt out of Registration Information Disclosure" on the Your Profile page. We and our author organisations may only contact you via email or other means if you allow us to do so. Users can opt out of contact when they register on the site, or send an email to unsubscribe@mondaq.com with “no disclosure” in the subject heading

Mondaq News Alerts

In order to receive Mondaq News Alerts, users have to complete a separate registration form. This is a personalised service where users choose regions and topics of interest and we send it only to those users who have requested it. Users can stop receiving these Alerts by going to the Mondaq News Alerts page and deselecting all interest areas. In the same way users can amend their personal preferences to add or remove subject areas.

Cookies

A cookie is a small text file written to a user’s hard drive that contains an identifying user number. The cookies do not contain any personal information about users. We use the cookie so users do not have to log in every time they use the service and the cookie will automatically expire if you do not visit the Mondaq website (or its affiliate sites) for 12 months. We also use the cookie to personalise a user's experience of the site (for example to show information specific to a user's region). As the Mondaq sites are fully personalised and cookies are essential to its core technology the site will function unpredictably with browsers that do not support cookies - or where cookies are disabled (in these circumstances we advise you to attempt to locate the information you require elsewhere on the web). However if you are concerned about the presence of a Mondaq cookie on your machine you can also choose to expire the cookie immediately (remove it) by selecting the 'Log Off' menu option as the last thing you do when you use the site.

Some of our business partners may use cookies on our site (for example, advertisers). However, we have no access to or control over these cookies and we are not aware of any at present that do so.

Log Files

We use IP addresses to analyse trends, administer the site, track movement, and gather broad demographic information for aggregate use. IP addresses are not linked to personally identifiable information.

Links

This web site contains links to other sites. Please be aware that Mondaq (or its affiliate sites) are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of these third party sites. This privacy statement applies solely to information collected by this Web site.

Surveys & Contests

From time-to-time our site requests information from users via surveys or contests. Participation in these surveys or contests is completely voluntary and the user therefore has a choice whether or not to disclose any information requested. Information requested may include contact information (such as name and delivery address), and demographic information (such as postcode, age level). Contact information will be used to notify the winners and award prizes. Survey information will be used for purposes of monitoring or improving the functionality of the site.

Mail-A-Friend

If a user elects to use our referral service for informing a friend about our site, we ask them for the friend’s name and email address. Mondaq stores this information and may contact the friend to invite them to register with Mondaq, but they will not be contacted more than once. The friend may contact Mondaq to request the removal of this information from our database.

Security

This website takes every reasonable precaution to protect our users’ information. When users submit sensitive information via the website, your information is protected using firewalls and other security technology. If you have any questions about the security at our website, you can send an email to webmaster@mondaq.com.

Correcting/Updating Personal Information

If a user’s personally identifiable information changes (such as postcode), or if a user no longer desires our service, we will endeavour to provide a way to correct, update or remove that user’s personal data provided to us. This can usually be done at the “Your Profile” page or by sending an email to EditorialAdvisor@mondaq.com.

Notification of Changes

If we decide to change our Terms & Conditions or Privacy Policy, we will post those changes on our site so our users are always aware of what information we collect, how we use it, and under what circumstances, if any, we disclose it. If at any point we decide to use personally identifiable information in a manner different from that stated at the time it was collected, we will notify users by way of an email. Users will have a choice as to whether or not we use their information in this different manner. We will use information in accordance with the privacy policy under which the information was collected.

How to contact Mondaq

You can contact us with comments or queries at enquiries@mondaq.com.

If for some reason you believe Mondaq Ltd. has not adhered to these principles, please notify us by e-mail at problems@mondaq.com and we will use commercially reasonable efforts to determine and correct the problem promptly.