The New York Department of Financial Services (NYDFS) has proposed regulations that require all financial services businesses operating in New York to develop and maintain a comprehensive cybersecurity program. The regulations impose significant minimum cybersecurity requirements, and mandate board of director involvement and accountability. Covered businesses should immediately evaluate their existing cybersecurity programs against the NYDFS regulations and begin to develop a plan for full compliance.
What Businesses are Covered?
The NYDFS is a relatively recent amalgamation of New York’s banking and insurance departments and is sweeping in its jurisdiction. The proposed regulations apply to every business operating in New York that is required to have a “license, registration, charter, certificate, permit, accreditation or similar authorization” under New York’s banking insurance or financial services law.
While this includes banks and insurers, it also includes related businesses. Brokers, including mortgage and insurance brokers, as well as bail bond agents, check cashers, non-profit credit counselors and budget planners, licensed lenders, premium finance agencies, and others, are potentially subject to the regulations. (NYDFS supervised businesses are discussed here.)
There are limited exceptions for those covered businesses that meet all three of the following:
• fewer than 1000 customers in each of the last three calendar years;
• less than $5 million in gross annual revenue for each of the last three years; and,
• less than $10 million in year-end total assets (including all affiliates) as calculated in accordance with GAAP.
The Proposed Regulations
The regulations require that covered businesses develop comprehensive cybersecurity policies and plans that meet dozens of specific and technical requirements listed in the regulations.
Cybersecurity Program & Policies
Every covered business is required to develop and maintain a comprehensive cybersecurity program and written cybersecurity policies to protect the integrity of their information systems and the nonpublic information on those systems.
The cybersecurity policies must address a minimum of fourteen specific areas:
- Information security;
- Data governance and classification;
- Access controls and identity management;
- Business continuity and disaster recovery planning and resources;
- Capacity and performance planning;
- Systems operations and availability;
- Systems and network security;
- Systems and network monitoring;
- Systems and application development and quality assurance;
- Physical security and environmental controls;
- Customer data privacy;
- Vendor and third-party service provider management;
- Risk assessment; and,
- Incident response.
The requirements for cybersecurity program are similarly detailed. The programs must serve six core functions:
- identify internal and external cyber risks;
- use defensive infrastructure;
- detect cybersecurity events;
- respond to and mitigate identified or detected cybersecurity events;
- recover from cybersecurity events and restore normal operations; and,
- meet regulatory reporting obligations.
In addition, the cybersecurity programs must include regular employee training on cybersecurity, and contain controls sufficient to monitor user activity and detect unauthorized user access.
The regulations also impose significant data retention and audit requirements. The cybersecurity program must limit user access privileges, and maintain user access logs. There must be sufficient data retained to audit and track transactions and cybersecurity events. This data must be retained for at least six years.
The regulations require that the cybersecurity program be challenged on a quarterly basis through a vulnerability assessment. Annually, each business must conduct penetration testing and a new risk assessment.
The cybersecurity program must also include a written Incident Response Plan (IRP) that addresses seven specific areas:
- The internal processes for responding to a cybersecurity event;
- The goals of the incident response plan;
- The definition of clear roles, responsibilities and levels of decision-making authority;
- External and internal communications and information sharing;
- Remediation of any identified weaknesses in Information Systems and associated controls;
- Documentation and reporting regarding cybersecurity events and related incident response activities; and,
- The evaluation and revision of the incident response plan following a cybersecurity event.
The regulations also require reporting to the NYDFS of any event that has a reasonable likelihood of having a material effect on operations or affects nonpublic information.
Corporate Governance & Personnel
The regulations also impose, for the first time under U.S. law, several requirements that impact corporate governance. First, all covered businesses will be required to have the cybersecurity policy reviewed by the board of directors (or similar body) and approved by a senior managing officer. The board must responsible to regularly assess the business’ cyber risks, policies, and programs.
Second, the new rules will require minimum cybersecurity personnel. All covered businesses must designate a qualified Chief Information Security Officer. In addition, covered businesses must have additional personnel who shall attend regular cybersecurity training and stay abreast of changing risks and countermeasures.
Third-Party & Vendor Risks
Finally, the regulations include requirements for third party contracts. This effectively extends the regulations’ application to non-covered businesses.
Covered businesses must maintain written policies applicable to third party vendor information systems that address four specified areas, including due diligence of third party vendors and the minimum cybcersecurity practices that third party vendors must adhere to.
In addition, the regulations require that vendor contracts address multi-factor user authentication, encryption, cybersecurity event notice, and identity theft protection services in the event of a breach.
The proposed regulations are sweeping in both breadth and jurisdiction. A 45-day notice and comment period on the regulations begins September 28, 2016. Absent any changes, the regulations are scheduled to go into effect on January 1, 2017, and permit covered businesses 180 days to comply.
For many covered businesses, existing cybersecurity policies and plans will not meet the new requirements. Businesses should immediately begin reviewing their current cybersecurity plans for compliance and partner with experienced counsel to address any gaps by the deadline.