ARTICLE
19 January 2017

Proposed New York Cybersecurity Bill Requires Increased Protections For Financial Industry

SS
Seyfarth Shaw LLP

Contributor

With more than 975 lawyers across 17 offices, Seyfarth Shaw LLP provides advisory, litigation, and transactional legal services to clients worldwide. Our high-caliber legal representation and advanced delivery capabilities allow us to take on our clients’ unique challenges and opportunities-no matter the scale or complexity. Whether navigating complex litigation, negotiating transformational deals, or advising on cross-border projects, our attorneys achieve exceptional legal outcomes. Our drive for excellence leads us to seek out better ways to work with our clients and each other. We have been first-to-market on many legal service delivery innovations-and we continue to break new ground with our clients every day. This long history of excellence and innovation has created a culture with a sense of purpose and belonging for all. In turn, our culture drives our commitment to the growth of our clients, the diversity of our people, and the resilience of our workforce.
On December 28, 2016, New York published a revised version of its proposed "Cybersecurity Requirements for Financial Services Companies" aimed at increasing the requirements and protections...
United States Technology
Seyfarth Shaw LLP are most popular:
  • within Compliance, Consumer Protection, Government and Public Sector topic(s)
  • with readers working within the Banking & Credit, Business & Consumer Services and Construction & Engineering industries

On December 28, 2016, New York published a revised version of its proposed "Cybersecurity Requirements for Financial Services Companies" aimed at increasing the requirements and protections for information security, auditing, and reporting for financial institutions doing business within New York state. The regulation was announced on September 13, 2016 as the first-of-its-kind regulation to protect consumers and financial institutions and had intended to go into effect January 1, 2017. However, in response to the 45-day public comment period, a revised version was distributed mere days before the end of the year on December 28, 2016 with an expected implementation date of March 1, 2017.

Although the revised version will be subject to an additional 30-day public comment period, there are a number of key provisions in the current versions that financial institutions should be aware of:

  1. 500.02. Cybersecurity Program: The required Cybersecurity Program will be based upon the Covered Entity's Risk Assessment (described in §500.09) and must comply with the items described in §500.02(b):

    1. identify and assess internal and external cybersecurity risks that may threaten the security or integrity of Nonpublic Information stored on the Covered Entity's Information Systems;
    2. use defensive infrastructure and the implementation of policies and procedures to protect the Covered Entity's Information Systems, and the Nonpublic Information stored on those Information Systems, from unauthorized access, use or other malicious acts;
    3. detect Cybersecurity Events;
    4. respond to identified or detected Cybersecurity Events to mitigate any negative effects;
    5. recover from Cybersecurity Events and restore normal operations and services; and
    6. fulfill applicable regulatory reporting obligations.
    • 500.02(c) allows a Covered Entity to adopt the cybersecurity program of an Affiliate if the Affiliate's cybersecurity program meets the above requirements and covers the Covered Entity's information.
  1. 500.03. Cybersecurity Policy: This section outlines the areas that the Cybersecurity Program should address and is quite expansive, including (but not limited to) information security, data governance, network security and monitoring, physical security and environmental controls, customer data privacy, and incident response.
  2. 500.05. Penetration Testing and Vulnerability Assessments: The Cybersecurity Program shall include monitoring and testing on a periodic basis, but at a minimum, annual penetration testing based on risks identified in the Covered Entity's Risk Assessment and bi-annual vulnerability assessments, including the identification of any publicly known cybersecurity vulnerabilities.
  3. 500.06. Audit Trail: Covered Entities, to the extent applicable based upon its Risk Assessment, will need to maintain for at least five years information to reconstruct material financial transactions and specific audit trails related to Cybersecurity Events.
  4. 500.08. Application Security: The Cybersecurity Program shall include written procedures, guidelines, and standards governing the development of in-house applications and the testing of externally developed applications.
  5. 500.09. Risk Assessment: The Risk Assessment will be implemented based upon written policies and procedures and will address the following:

    1. criteria for the evaluation and categorization of identified cybersecurity risks or threats facing the Covered Entity;
    2. criteria for the assessment of the confidentiality, integrity, security and availability of the Covered Entity's Information Systems and Nonpublic Information, including the adequacy of existing controls in the context of identified risks; and
    3. requirements describing how identified risks will be mitigated or accepted based on the Risk Assessment and how the cybersecurity program will address the risks.
  1. 500.11. Third Party Service Provider Security Policy: Each Covered Entity must maintain a written policy regarding the security of Information Systems and Nonpublic Information accessible to, or held by, Third Party Service Providers. This includes methods of assessing risks for these providers and outlining minimum cybersecurity practices that each provider must implement.
  2. 500.12. Multi-Factor Authentication: Any individual that accesses a Covered Entity's internal network from an external network must use multi-factor authentication unless the Covered Entity's Chief Information Security Officer ("CISO") has approved in writing a reasonable alternative with equal or greater secure access controls.
  3. 500.16. Incident Response Plan: The Cybersecurity Program should include a written incident response plan to respond to, and recover from, Cybersecurity Events that materially affect the confidentiality, integrity, or availability of its Information Systems or the continuing functionality of its business or operations, including:

    1. the internal processes for responding to a Cybersecurity Event;
    2. the goals of the incident response plan;
    3. the definition of clear roles, responsibilities and levels of decision-making authority;
    4. external and internal communications and information sharing;
    5. identification of requirements for the remediation of any identified weaknesses in Information Systems and associated controls;
    6. documentation and reporting regarding Cybersecurity Events and related incident response activities; and
    7. the evaluation and revision as necessary of the incident response plan following a Cybersecurity Event.
  1. 500.17. Notices to Superintendent: A Covered Entity must notify the superintendent of the New York State Department of Financial Services ("Superintendent") within 72 hours from a determination that a Cybersecurity Event has occurred that (1) necessitates reporting to a government body, self-regulatory agency, or any other supervisory body, and (2) has a reasonable likelihood of material harming any material part of the normal operation(s) of the Covered Entity.

Each year by February 15, a Covered Entity must submit to the Superintendent a written certification stating that it is in compliance with these regulations and the steps it has taken to ensure compliance. All documentation and information supporting such compliance should be available for at least five years.

  1. 500.19. Exemptions: There are a number of exemptions to all or part of these regulations.
  2. 500.22. Transitional Periods: In general, Covered Entities will have 180 days from March 1, 2017 to comply with these regulations, with certain exceptions identified in §500.22(b) addressing individual sections of these regulations.

The current version of these regulations can be found here and we will continue to monitor any further revisions that occur before March 1, 2017. To ensure that you are aware of any further updates regarding this story or others involving eDiscovery, Data Privacy, and Cybersecurity, please subscribe to the blog.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More