New York State Department of Financial Services Finalizes Cybersecurity Regulations

As we reported in January, the New York Department of Financial Services ("DFS") has been in the process of refining proposed regulations that would govern the cybersecurity requirements of entities falling within its jurisdiction. DFS originally released the proposed regulations in September of 2016. After receiving and reviewing a multitude of comments from the public and business sectors, the DFS issued revised proposed regulations in December 2016 and allowed for an additional comment period ending on January 27. On February 16, 2017, DFS issued the final regulations, which went into effect on March 1, 2017. The regulations are promulgated as Part 500 of Title 23 of the New York Code of Rules and Regulations (23 NYCRR 500).

In the Introduction section to the regulations, the DFS stated its purpose in passing the regulations: "Given the seriousness of the issue and the risk to all regulated entities, certain regulatory minimum standards are warranted, while not being overly prescriptive so that cybersecurity programs can match the relevant risks and keep pace with technological advances. Accordingly, this regulation is designed to promote the protection of customer information as well as the information technology systems of regulated entities. This regulation requires each company to assess its specific risk profile and design a program that addresses its risks in a robust fashion. Senior management must take this issue seriously and be responsible for the organization's cybersecurity program and file an annual certification confirming compliance with these regulations. A regulated entity's cybersecurity program must ensure the safety and soundness of the institution and protect its customers."

As we previously reported, the DFS regulations are some of the most comprehensive cybersecurity requirements imposed by any governmental entity, state or federal. There is some feeling that regulations similar to the DFS regulations could expand into other industries and be adopted by other governmental entities covering a broader segment of businesses. Indeed, the purpose of the regulations as stated by DFS could just as easily be said for many different industry sectors, from health care to retail to everything in between. With the ever increasing reliance on technology and electronic data storage, cybersecurity issues are not going away and businesses that might not fall within the purview of the DFS regulations would be wise to anticipate (and be prepared to address) similar requirements being imposed on them at some point in the not too distant future.

In any event, entities covered by the DFS regulations will have 180 days from March 1 (until August 28, 2017) to comply with the bulk of the requirements contained in the regulations, though a number of the requirements allow for a longer compliance period. Set forth below are the key definitions and requirements contained in the regulations, based on the compliance deadlines for the requirements.

Also worth emphasizing, and as discussed further below, the regulations will require third-parties that work with covered entities to have certain protections and policies in place in order for the covered entities to permit such third-parties to have access to sensitive data.

KEY DEFINITIONS:

Of primary importance is to what entities do the regulations directly apply. The regulations apply to a "Covered Entity," which is defined as "any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law" (25 NYCRR 500.01(c)).

There are several exceptions listed in the regulations pursuant to which an otherwise Covered Entity would be exempted from complying with most of the requirements (25 NYCRR 500.19). Specifically, an otherwise Covered Entity will be exempt if it has (1) fewer than 10 employees including any independent contractors, or (2) less than $5,000,000 in gross annual revenue in each of the last three fiscal years, or (3) less than $10,000,000 in year-end total assets, calculated in accordance with generally accepted accounting principles, including assets of all Affiliates. An entity could also be exempt if it "does not directly or indirectly operate, maintain, utilize or control any Information Systems, and that does not, and is not required to, directly or indirectly control, own, access, generate, receive or possess Nonpublic Information." If an otherwise Covered Entity believes if falls within any of the potential exemptions, it must submit a form to the DFS within 30 days of the determination that it is exempt. Moreover, if an entity ceases to meet the requirements for an exemption, it has 180 days from the end of its most recent fiscal year to comply with all of the regulatory requirements.

Also of significant import is the matter of what information is to be protected. In this regard, the regulations differentiate between two types of information, publicly available versus nonpublic.

"Publicly Available Information" (25 NYCRR 500.01(j)) is defined as:

""¦any information that a Covered Entity has a reasonable basis to believe is lawfully made available to the general public from: federal, state or local government records; widely distributed media; or disclosures to the general public that are required to be made by federal, state or local law. (1) For the purposes of this subsection, a Covered Entity has a reasonable basis to believe that information is lawfully made available to the general public if the Covered Entity has taken steps to determine: (i) That the information is of the type that is available to the general public; and (ii) Whether an individual can direct that the information not be made available to the general public and, if so, that such individual has not done so."

"Nonpublic Information" (25 NYCRR 500.01(g)) is defined as:

""¦all electronic information that is not Publicly Available Information and is:

(1) Business related information of a Covered Entity the tampering with which, or unauthorized disclosure, access or use of which, would cause a material adverse impact to the business, operations or security of the Covered Entity;

(2) Any information concerning an individual which because of name, number, personal mark, or other identifier can be used to identify such individual, in combination with any one or more of the following data elements: (i) social security number, (ii) drivers' license number or non-driver identification card number, (iii) account number, credit or debit card number, (iv) any security code, access code or password that would permit access to an individual's financial account; or (v) biometric records.

(3) Any information or data, except age or gender, in any form or medium created by or derived from a health care provider or an individual and that relates to (i) the past, present or future physical, mental or behavioral health or condition of any individual or a member of the individual's family, (ii) the provision of health care to any individual, or (iii) payment for the provision of health care to any individual."

It is worth noting that the definition of "Nonpublic Information" under the regulations is somewhat broader than the definition of "Private Information" under New York's other key cybersecurity law, General Business Law § 899-aa, which deals with when and how notifications must be provided for a cybersecurity breach.

Other key terms defined in the regulations include:

"Information System" (25 NYCRR 500.01(e)) which is defined as "a discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of electronic information, as well as any specialized system such as industrial/process controls systems, telephone switching and private branch exchange systems, and environmental control systems."

"Cybersecurity Event" which means "any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an Information System or information stored on such Information System." It is worth noting that this definition is also somewhat broader than the similar term "Breach of the security of the system" under General Business Law § 899-aa.

Lastly, as noted above, the regulations contain certain requirements with respect to third-parties. The regulations use the term "Third Party Service Provider" (25 NYCRR 500.01(n)) which is defined to include "a Person that (i) is not an Affiliate of the Covered Entity, (ii) provides services to the Covered Entity, and (iii) maintains, processes or otherwise is permitted access to Nonpublic Information through its provision of services to the Covered Entity."

REQUIREMENTS TO BE MET WITHIN 180 DAYS:

There are a variety of requirements contained in the regulations that will require some sort of response and action by a Covered Entity in the normal course of its business, along with several other requirements that could become applicable under certain circumstances – for instance if there was a "Cybersecurity Event."

Of the "course of business" requirements, six have to be addressed within the first 180 days after the regulations become effective.

First, a Covered Entity is required to create and maintain a "Cybersecurity Program" (25 NYCRR 500.02). The "Cybersecurity Program" is not intended, or required, to be a "one size fits all" solution. Rather, the regulations permit the Covered Entity to create a relatively personalized Cybersecurity Program to address the particular risks applicable to that entity. The Cybersecurity Program, however, must meet certain minimum requirements, including:

(1) Detailing how the entity will identify and assess internal and external cybersecurity risks that may threaten the security of the Nonpublic Information stored on the entity's Information Systems;

(2) Detail the defensive infrastructure and policies/procedures implemented by the entity to protect its Information Systems from unauthorized access or malicious breaches;

(3) Identify how the entity will detect any Cybersecurity Events;

(4) Identify how the entity will respond to any Cybersecurity Events to mitigate any negative effects;

(5) Identify how the entity will recover from any Cybersecurity Events to restore normal operations and services; and

(6) Indicate how the entity will fulfill any applicable regulatory reporting obligations.

The Covered Entity is also required to have all documentation and information relevant to its Cybersecurity Program available for inspection by the DFS upon request.

Dovetailing with the Cybersecurity Program requirement, Covered Entities are also required to have a specific "Cybersecurity Policy" (25 NYCRR 50.03), which policy must be approved by a Senior Officer or the entities Board of Directors (or similar governing body) setting forth the policies and procedures for the protection of the entity's Information Systems and any Nonpublic Information maintained by the entity. The policy can again be tailored to the particular risk assessment of each Covered Entity, but again is required to address certain minimum standards. In relation to the Cybersecurity Policy requirement, a Covered Entity must also have a specific written "Incident Response Plan" (25 NYCRR 500.16). As the name suggests, the Incident Response Plan must indicate the steps that the entity will take in the event of a "Cybersecurity Event," including the internal processes for responding, external communication protocols, requirements for remediating any weaknesses that may have led to the event, and how the response will be documented.

The regulations also require that each Covered Entity designate a "qualified individual" as the Chief Information Security Officer ("CISO") (25 NYCRR 500.04) who will be responsible for overseeing and implementing the entity's Cybersecurity Program and Cybersecurity Policy. The CISO can be an existing employee or officer of the Covered Entity, or can be part of an affiliate of the entity or a third-party service provider (in which case there are additional requirements that must be met). In addition to implementation and oversight, the CISO is also required under the regulations to provide an annual written report to either a Senior Officer or the Board of Directors of the entity reporting on the status of the Cybersecurity Program, Cybersecurity Policy, and an assessment of the risks facing the entity and the effectiveness of the existing programs and policies. In addition to the CISO, the regulations also require that Covered Entities utilize qualified "Cybersecurity Personnel and Intelligence" (25 NYCRR 500.10). These can be employees or third-parties, but it is up to the Covered Entity to ensure that such "Cybersecurity Personnel" are capable of managing and performing the core cybersecurity functions of the entity and that such individuals have and/or are provided with sufficient updates and training to address evolving technology and cybersecurity risks.

Covered entities are also required to conducted an assessment of "Access Privileges" (25 NYCRR 500.07). This requirements means that entities must assess which of their employees or third-party providers have access to their various Information Systems and Nonpublic Information, and determined whether such individuals are required to have such access to perform their duties. The regulations require that the entities "periodically review" these access privileges.

REQUIREMENTS TO BE MET WITHIN ONE YEAR:

Within one year of the effective date of the regulations, a Covered Entity is required to undertake "Penetration Testing and Vulnerability Assessments" (25 NYCRR 500.05). This aspect of the regulation requires Covered Entities to undergo "continuous" monitoring and testing of their information systems to detect and assess any potential vulnerabilities in the entity's Information Systems or any changes in the systems that may create or indicate vulnerabilities. At a minimum, the regulations require annual penetration testing of the Information Systems based on the entity's risk assessment for that year as well as bi-annual vulnerability assessments, such as systematic scans of the Information Systems, to detect any potential vulnerability or unauthorized access.

Going hand in hand with the testing requirements and the Cybersecurity Program/Policy requirements discussed above, the regulations require a Covered Entity to conduct a periodic Risk Assessment (25 NYCRR 500.09). This process reflects the DFS' movement away from a one-size-fits-all policy and requires that Covered Entities continually update the assessment of the cybersecurity risks to their particular business to ensure that their cybersecurity program, policies, and procedures are addressing the cybersecurity risks facing the entity as both business, technology, and cybersecurity threats evolve. The Risk Assessment process itself must be done in accordance with the policies and procedures established by the entity, and it must be documented. The Risk Assessment must identify criteria for the evaluation and organization of the risks and threats facing the entity, must identify criteria for assessing the entity's existing controls to protect confidentiality and integrity of Information Systems and Nonpublic Information, and must include how identified risks will be mitigated or are otherwise acceptable based on the entity's Cybersecurity Program.

Also within one year of the effective date of the regulations, Covered entities must assess and have in place Multi-Factor Authentication (25 NYCRR 500.12) in certain circumstances. The regulations require that Covered Entities assess the potential use of Multi-factor and/or Risk-Based Authentication as part of their overall Risk Assessments. However, the regulations require that Multi-Factor Authentication be used for any individual accessing the Covered Entities internal networks from an external network (or that there be some other equivalent access control for external access).

Lastly, Covered entities are required to provide cybersecurity training for all personnel (25 NYCRR 500.14(b)).

REQUIREMENTS TO BE MET WITHIN 18 MONTHS:

Within 18 months of the effective date of the regulations, Covered entities are required to have in place certain additional policies and procedures that are generally encompassed within the entity's Cybersecurity Program. In particular, entities must have in place certain Audit Trails (25 NYCRR 500.06) for their Information Systems to allow for the reconstruction of "material financial transactions" and that would allow the entity to detect and respond to any Cybersecurity Event. Additionally, entities must have in place written procedures, guidelines and standards addressing the security for the development of any in-house applications by the entity and procedures for assessing and testing the security of such applications (Application Security, 25 NYCRR 500.08). Further, the entities must implement policies, procedures and controls designed to monitor the activity of Authorized Users and detect any unauthorized access to or tampering with Nonpublic Information (Monitoring Access, 25 NYCRR 500.14(a)).

Also within 18 months, Covered Entities must implement controls, with a specific focus on encryption, to protect Nonpublic Information both in transit over external networks and at rest in the entity's systems (Encryption of Nonpublic Information, 25 NYCRR 500.15). If the entity determines that encryption is not feasible, the entity must implement other "effective alternative compensating controls" to secure the data, which controls must be reviewed and approved by the CISO.

REQUIREMENTS TO BE MET WITHIN 2 YEARS:

There is one requirement that the regulations provide for implementation within two years, and that is the Third Party Service Provider Security Policy (25 NYCRR 500.11). As noted above, this aspect of the regulations not only requires action by the Covered Entity, but will also impact and require action on the part of any entity falling within the definition of a "Third Party Service Provider," which, as stated above, includes essentially any third party that has access to or some control over the Nonpublic Information maintained by a Covered Entity.

With respect to Covered Entities, the regulations require that the entities have policies and procedures to address: (1) the identification and risk assessment of the Third Party; (2) minimum cybersecurity practices to be met by the Third Party; (3) due diligence processes to be used to evaluate the cybersecurity practices of the Third Party; and (4) periodic assessment of the Third Party based on the risk they present and the continued adequacy of their cybersecurity practices.

The Covered Entities also must create guidelines for Third Parties pursuant to which the Third Parties will be required to provide/create: (1) policies and procedures relating to access controls (including the use of Multi-Factor Authentication) with regard to third party access to the Covered Entity's systems; (2) policies and procedures for use of encryption; (3) requirements concerning the notice to be provided by the Third Party in the event of a Cybersecurity Event; and (4) representations and warranties of the Third Party concerning the policies and practices that the Third Party has in place to ensure the security of the Covered Entity's Nonpublic Information.

In other words, Covered Entities are required to create policies and guidelines to ensure that their Nonpublic Information will be adequately secured by the Third Parties that access, use, or maintain the Covered Entities' Nonpublic Information. In turn, the Third Parties, to the extent they do not have them already, must create policies and procedures addressing the access to and security of any Covered Entities' Nonpublic Information. While the ultimate responsibility relating to the protection of data utilized by Third Party Service Providers still falls on the Covered Entity, the regulations make clear that the Covered Entities must require certain minimum standards from the Third Parties. Thus, any Third Party Service Provider is, by extension, going to be forced to ensure its compliance to the standards of the Covered Entity. And, if a Third Party's cybersecurity program is not up to standards, this could mean significant investment of time and resources over the next two years if that Third Party wants to continue doing business with a Covered Entity.

NOTICES TO THE SUPERINTENDENT:

As mentioned above, New York General Business Law § 899-aa contains certain notification requirements in the event of a qualifying cybersecurity breach under the provisions of that statute. The DFS regulations also contain a notification requirement that add to the notification required under the General Business Law in the event of a breach event. Specifically, the regulations (25 NYCRR 500.17) require that a Covered Entity: "shall notify the superintendent as promptly as possible but in no event later than 72 hours from a determination that a Cybersecurity Event as follows has occurred: (1) Cybersecurity Events of which notice is required to be provided to any government body, self-regulatory agency or any other supervisory body; and (2) Cybersecurity Events that have a reasonable likelihood of materially harming any material part of the normal operation(s) of the Covered Entity."

In addition to the 72 hour notice requirement in the event of a breach event, the regulations require that each Covered Entity submit an annual written statement to the superintendent covering the prior year certifying that the Covered Entity is in compliance with ALL requirements under the regulations (there is a specific form for the required statement that was included as an Appendix to the regulations).

ENFORCEMENT:

The regulations do not specifically detail any potential penalties or the impact of non-compliance by a Covered Entity. Rather, the regulations simply provide that they will be enforced by the DFS "pursuant to"¦the superintendent's authority under any applicable laws" (22 NYCRR 500.20).