The New York Department of Financial Services’ Cyber Requirements for Financial Services Companies, 23 NYCRR 500 (“Cyber Regulations”) went into effect on March 1, 2017. The Cyber Regulations are intended to require financial companies to assess their internal cybersecurity risks and develop a cybersecurity program to protect customer information and their IT systems, as well as respond, recover, and report cyber threats. The Cyber Regulations establish a comprehensive set of proactive cybersecurity standards for companies to follow, involving everything from appointing a designated Chief Information Security Officer (CISO) to submitting an annual compliance notice, and conducting penetration testing and vulnerability assessments.
Here is an overview of some key terms, requirements and deadlines under these new regulations.
- Covered Entities include nongovernmental banks, insurance companies, investment firms, and other financial institutions subject to New York’s Banking Law, Insurance Law and Financial Services Law (Section 500.01). As a result, the Cyber Regulations cover a wide range of financial institutions that may extend further than the types of companies regulated by the federal Gramm-Leach-Bliley Act. While the Cyber Regulations include certain full exemptions to certain financial institutions in various insurance lines, it partially exempts others from some of the requirements, including those who have (i) fewer than 10 employees, (ii) less than $5,000,000 in gross annual revenue in each of the last three fiscal years, or (iii) less than $10,000,000 in year-end total assets (Section 500.19). Partially exempt financial organizations are not required to designate a CISO or perform penetration testing, however, they must still maintain a written cybersecurity program and related policies, perform risk assessments, monitor third party access, and limit their data retention.
- Cybersecurity Event is “any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an [i]nformation [s]ystem or information stored on an [i]nformation [s]ystem,” including Nonpublic Information.
- Nonpublic Information is defined as “all information that is not [p]ublicly [a]vailable [or reasonably believed to be lawfully available to the public]” and is related to the business (such that an unauthorized disclosure would materially and adversely impact the entity), personal information, or information derived from a health care provider (Section 500.01(g)).
- Risk Assessments are at the heart of the Cyber Regulations, which require Covered Entities to perform periodic risk assessments of the company’s information systems and protection of Nonpublic Information. Risk assessment procedures are required be contained within a written company policy which includes (i) criteria for evaluating and categorizing risks, assessing the confidentiality, integrity, security and availability of the information systems and adequacy of existing controls; and (ii) requirements describing how risks will be addressed, mitigated or accepted. The risk assessment will be the foundation of the Covered Entity’s cybersecurity program and future testing.
- Comprehensive Cybersecurity Policy must be (i) written, (ii) approved by the Covered Entities’ Senior Officer or Board of Directors (or equivalent) and (ii) set forth the procedures and policies for protecting the company’s information systems and any Nonpublic Information contained therein. The Cyber Regulations require that the comprehensive cybersecurity policy be based on the risk assessment and address the following topics (Section 500.03):
- information security;
- data governance and classification;
- asset inventory and device management;
- access controls and identity management;
- business continuity and disaster recovery planning and resources;
- systems operations and availability concerns;
- systems and network security;
- systems and network monitoring;
- systems and application development and quality assurance;
- physical security and environmental controls;
- customer data privacy;
- vendor and third party service provider management;
- risk assessment; and
- incident response.
- Chief Information Security Office (CISO), i.e. a qualified individual responsible for overseeing and implementing the Covered Entity’s cybersecurity program and enforcing its cybersecurity policy, must be designated by a Covered Entity (Section 500.04). The CISO are responsible for providing written reports to the company’s Board (or equivalent body) at least annually. CISOs may be an employee or affiliate of the Covered Entity, or contracted through a third-party service provider, subject to oversight terms.
- Reporting Cybersecurity Events to the NYDFS Superintendent must be conducted no later than 72 hours from a determination that a Cybersecurity Event has occurred that either (i) impacts the covered entity of which notice is required by another government agency; or (ii) has a reasonable likelihood of materially harming any material part of the Covered Entity’s normal operations (Section 500.17).
- Data Governance Requirements include limiting user access privileges to information systems that provide access to Nonpublic Information and periodically review such access privileges (Section 500.07), utilizing qualified cybersecurity personnel and intelligence (Section 500.10), and establishing an incident response plan (Section 500.16).
- Technical Requirements and Controls mandated by the Cybersecurity Regulation involve (i) performing annual penetration testing and biannual vulnerability assessments (Section 500.05), (ii) implementing multi-factor authentication (Section 500.12), (iii) encrypting Nonpublic Information (in transit and at rest) (Section 500.15), and (iv) securing and tested internally- and externally-developed applications (Section 500.08).
- Annual Certification requires that each Covered Entity submit to the NYDFS Superintendent a written statement covering the prior calendar year, due by February 15 of that year, starting in 2018 (Section 500.17(b)). Much like the federal Sarbanes-Oxley Act, the statement must certify that the Covered Entity is in compliance with the Cybersecurity Regulation. To the extent that the Covered Entity has identified areas, systems or processes that require material improvement, updating or redesign in its Risk Assessment, the Covered Entity must document the identification and the remedial efforts planned and underway to address such areas, systems or processes.
- Enforcement and Remedies for noncompliance are not specifically outlined in the Regulations. The Regulations will be enforced by the NYDFS Superintendent, who has broad remedial authority, including monetary penalties, injunctive relief (e.g., possible revocation of a license), and orders requiring corrective action. The monetary penalties could vary widely based upon the severity of the offense and the number of violations. In addition, the NYDFS can also conduct audit examinations of Covered Entities and inspect recordkeeping.
- August 28, 2017 – Covered Entities are required to be in compliance with Sections:
- 02 – Maintain a Cybersecurity Program based on its Risk Assessment
- 03 – Implement and Maintain Risk-Based Cybersecurity Policies
- 04(a) – Designate a CISO
- 07 – Access Privileges
- 10 – Cybersecurity Personnel and Intelligence
- 16 – Incident Response Plan
- 17(a) – Notices to Superintendent of Cybersecurity Events
- 18 – Confidentiality
- September 27, 2017 – Initial 30-day period for filing Notices of Exemption under Section 500.19(e) ends.
- February 15, 2018 – Covered Entities are required to submit the first certification under Section 500.17(b) on or prior to this date, and continue to do so annually on the NYDFS’ online Cybersecurity Filing portal.
- March 1, 2018 – One-year transitional period ends. Covered entities are required to be in compliance with all the requirements of sections:
- 04(b) – At least Annual CISO Report to Board (or equivalent body)
- 05 – Annual Penetration Testing and Bi-Annual Vulnerability Assessments
- 09 – Periodic Risk Assessment
- 12 – Multi-Factor Authentication
- 14(b) – Regular Cybersecurity Awareness Training
- September 3, 2018 – Eighteen-month transitional period ends. Covered Entities are required to be in compliance with the requirements of sections:
- 06 – Audit Trail
- 08 – Application Security
- 13 – Data Retention Limits
- 14(a) – Policies and Procedures for Monitoring Network Activity
- 15 – Encryption of Nonpublic Information.
March 1, 2019 – Two-year transitional period ends. Covered Entities are required to be in compliance with the requirements of Section 500.11 – Third Party Service Provider Security Policy.