With the clock ticking down to the new year, on December 28, 2016, the New York State Department of Financial Services (NYDFS) released highly anticipated revisions to its proposed Cybersecurity Requirements for Financial Services Companies (the “Proposal”). As we previously reported, the NYDFS first announced the proposed regulations in September; at that time, they were slated to go into effect on January 1, 2017. The updated Proposal retains many core concepts from the first, establishing “certain regulatory minimum standards” relating to cybersecurity protections for the customer information and IT systems of banks, insurance companies and other NYDFS-regulated financial institutions. But multiple provisions have undergone substantial revision, ostensibly to address the many concerns and objections that NYDFS received during the 45-day comment period following its September publication of the original version.
Overall, the Proposal’s provisions appear to have been modified to allow Covered Entities to tailor their cybersecurity policies and practices to address the needs identified by their respective Risk Assessments, as appropriate to each organization. This post outlines some of the Proposal’s key requirements and highlights material changes from the earlier draft.
Note: Capitalized terms not otherwise defined in this post are defined in the Proposal.
Definitions. Across the board, one of the most significant changes is to the definition of Nonpublic Information. The original definition was considered remarkably broad by many, arguably encompassing almost any information maintained by a Covered Entity. The revised definition’s narrowed scope more closely tracks the definitions used in state and federal security breach notification statutes and should facilitate meaningful and effective compliance.
Cybersecurity Program. Covered Entities are required to “maintain a cybersecurity program designed to protect the confidentiality, integrity and availability of the Covered Entity’s Information Systems.” The program is to be based on the Covered Entity’s Risk Assessment and designed to perform certain “core cybersecurity functions” listed in the Proposal.
Notably, the Proposal now allows a Covered Entity to adopt a cybersecurity program maintained by an Affiliate if that program fulfills the requirements of the rule. The Proposal also adds that all documentation and information relevant to the cybersecurity program must be made available to the NYDFS superintendent upon request.
Cybersecurity Policy. Covered Entities are required to implement and maintain a written policy (or policies) approved by a Senior Officer, board of directors or equivalent governing body to protect Information Systems and Nonpublic Information. Whereas the original version of this requirement listed areas that the policy must address, the revised provision indicates that the policy is to be “based on the Covered Entity’s Risk Assessment” and address the listed areas “to the extent applicable to the Covered Entity’s operations.” The Proposal adds “asset inventory and device management” as an area to cover and removes “capacity and performance planning” from the list.
Chief Information Security Officer (CISO). The Proposal removes the explicit requirement to appoint a CISO, but maintains the substantive obligation to designate a qualified individual to oversee and implement the cybersecurity program and enforce the policy. The Proposal clarifies that this individual may be an employee of the Covered Entity, an Affiliate or a Third Party Service Provider (subject to certain conditions).
The person filling this role still must provide a report to the board on the “cybersecurity program and material cybersecurity risks,” but now on an annual (rather than bi-annual) basis. The Proposal now specifies that the report must be “in writing” but eliminates the requirement to provide the report to the NYDFS upon request. The original version included a list of specific items that must be covered in the report, whereas the revised version indicates the CISO shall “consider” those issues “to the extent applicable” and removes the requirement to “propose steps to remediate inadequacies identified” altogether.
Audit Trail. The Proposal’s audit provision is much more streamlined than the original version, removing the bulk of the prescriptive requirements and instead allowing a Covered Entity to base its audit systems on its Risk Assessment, provided that the systems (1) are “designed” to reconstruct “material” financial transactions and are “sufficient to support normal operations and obligations” and (2) include audit trails “designed” to detect and respond to material Cybersecurity Events.
Risk Assessment. The requirement to conduct a Risk Assessment has been pared back from an “annual” to a “periodic” basis. The provision no longer includes an obligation to document justification for the mitigation or acceptance of identified risks, nor does it mandate the assignment of accountability for such identified risks.
Third Party Service Provider Security Policy. Covered Entities must implement a security policy for Third Party Service Providers, but they may base the policy on the potential risks identified through their Risk Assessment process. This change likely aims to respond to concerns that the original version did not allow Covered Entities to triage vendors by the actual security risks they may pose. In addition, the Proposal no longer requires that the cybersecurity program address (1) identity protection services for customers materially impacted by a Cybersecurity Event caused by a Third Party Service Provider’s negligence or willful misconduct, or (2) the Covered Entity’s right to audit a Third Party Service Provider’s cybersecurity compliance.
Multi-Factor Authentication. The original requirements to use Multi-Factor Authentication under specific enumerated circumstances have been replaced with a general mandate to use “effective controls” (including Multi-Factor Authentication or Risk-Based Authentication) to protect Nonpublic Information and Information Systems. And unless the CISO has provided written approval otherwise, Multi-Factor Authentication is required for remote access to internal networks.
Encryption of Nonpublic Information. The original encryption rules, which were widely seen as unreasonably broad, have been revised to include a feasibility standard. To the extent feasible, the Covered Entity must either encrypt Nonpublic Information both in transit over external networks and at rest or use “effective alternative compensating controls” as approved by the CISO (who must review such decisions annually).
Incident Response Plan and Notices to Superintendent. The written incident response plan requirement now includes a materiality standard, ostensibly narrowing the range of incidents that would trigger a full response. Further, although the Proposal retains an obligation to notify the NYDFS superintendent within 72 hours, it has been modified to specify that the clock starts ticking at the point when the Covered Entity has made “a determination” that a specific type of Cybersecurity Event has occurred. The previous standard required notification within 72 hours of “becoming aware” of a Cybersecurity Event. Cybersecurity Events triggering the notification obligation are those that would (1) require notice to any other regulatory entity or (2) have “a reasonable likelihood of materially harming any material part of the normal operation(s) of the Covered Entity.”
Compliance Timeframes. The original proposal required full compliance within 180 days of its effective date, which many commenters indicated would be insufficient. Responding to these concerns, the Proposal now includes staggered compliance windows to give Covered Entities additional time to comply with certain provisions. To offer a few examples, Covered Entities will have one year to comply with the CISO reporting requirement, the Risk Assessment section and the Multi-Factor Authentication requirement; 18 months to implement the Audit Trail section and the encryption requirements; and two years from the effective date to comply with the Third Party Service Provider security policy provisions.
Following a 30-day notice and public comment period, the Proposal is scheduled to go into effect on March 1, 2017. The NYDFS’s announcement indicated that the Department will focus its review on new comments that “were not previously raised in the original comment process.”