- NY DFS Publishes Final Cybersecurity Rules for Financial Services Companies
- March 7, 2017 | Authors: Mark D. Herlach; John S. Pruitt; Stephen E. Roth; Cynthia R. Shoss; Phillip E. Stano; Mark Thibodeaux; Mary Jane Wilson-Bilik; John Allen Zumpetta
- Law Firms: Eversheds Sutherland (US) LLP - Washington Office; Eversheds Sutherland (US) LLP - New York Office; Eversheds Sutherland (US) LLP - Washington Office; Eversheds Sutherland (US) LLP - New York Office; Eversheds Sutherland (US) LLP - Washington Office; Eversheds Sutherland (US) LLP - Houston Office; Eversheds Sutherland (US) LLP - Washington Office; Eversheds Sutherland (US) LLP - New York Office
- On March 1, 2017, the New York Department of Financial Services (the DFS) published a notice of adoption of its final cybersecurity regulation (the Final Regulation). The regulation was first announced with much fanfare by New York Governor Andrew Cuomo in September 2016 as the first-in-nation cybersecurity regulation to protect consumers and financial institutions. A substantially revised proposal was published in December 2016.
The Final Regulation became effective on March 1, 2017, and entities subject to the regulation have 180 days from this effective date to comply, although the regulation allows additional time to comply with certain requirements.
The regulation does more than promote the protection of nonpublic information of consumers. It requires insurance companies, insurance agents and brokers, banks, and other financial services providers regulated by the DFS (Covered Entities) to conduct risk assessments of their information technology (IT) systems and maintain a cybersecurity program based on that assessment, and imposes a number of standards and requirements for governance and operation of the IT systems. Moreover, the regulation does not cover just New York domiciliaries. Instead, it extends its reach to individuals and entities that are not domiciled in New York, but are operating under or required to operate under a New York license, registration, charter or similar authorization under the Banking Law, the Insurance Law, or the Financial Services Law.
The notice of adoption includes the Department’s responses to public comments it received, as required by state law. Addressing comments submitted in response to the December 2016 revised proposal, DFS made a few notable changes and several other minor changes.
Of particular interest to the insurance industry, certain classes of insurers—namely accredited reinsurers, certified reinsurers, non-domestic risk retention groups, and charitable annuity societies—are now fully exempt from the Final Regulation, provided such entities do not otherwise qualify as Covered Entities. Further, the DFS has added a limited exemption for captive insurance companies. These exemptions and other important revisions to the Final Regulation are discussed below. (For more details about additional key provisions and the development of the regulation, please see our Legal Alerts: NY DFS Announces Proposal for Cybersecurity Rules for Financial Services Companies and NY DFS Publishes Revised Proposed Cybersecurity Rules for Financial Services Companies.)
- Cybersecurity Program
- Audit Trail
- Notices To Superintendent
The Final Regulation also provides a limited exemption for captive insurance companies, which exempts captive insurers from many of the regulation’s requirements, including the technical cybersecurity program and policy requirements, the audit trail requirements, and the multifactor authentication requirements. Captive insurers must submit a notice of exemption to the DFS and still must comply with the requirements relating to risk assessments, third party service provider security policies, limitations on data retention, and notices to the DFS.
Further, the Final Regulation retains the exemptions found in the proposed version, while clarifying eligibility for certain exemptions. Under the Final Regulation, a Covered Entity is eligible for the gross-annual-revenue limited exemption when “New York business operations of the Covered Entity and its Affiliates” do not exceed $5 million in gross annual revenue, and a Covered Entity is eligible for the under-10-employees limited exemption when the Covered Entity and its Affiliates have fewer than 10 employees (including any independent contractors) that are located in New York or are responsible for the business of the Covered Entity. However, the DFS did not address the scope of the term “independent contractor” despite requests to limit it to contractors providing services relevant to insurance operations.