- NY DFS Announces Proposal for Cybersecurity Rules for Financial Services Companies
- September 22, 2016 | Authors: Mark D. Herlach; John S. Pruitt; Stephen E. Roth; Cynthia R. Shoss; Phillip E. Stano
- Law Firms: Sutherland Asbill & Brennan LLP - Washington Office; Sutherland Asbill & Brennan LLP - New York Office; Sutherland Asbill & Brennan LLP - Washington Office; Sutherland Asbill & Brennan LLP - New York Office; Sutherland Asbill & Brennan LLP - Washington Office
On September 13, 2016, New York Governor Andrew Cuomo announced a proposal by the New York Department of Financial Services (the DFS) of a rule that establishes cybersecurity requirements for financial services companies regulated by the DFS (the NY Regulation). The NY Regulation is the culmination of three years of work by the DFS to prioritize cybersecurity oversight.
Background. In 2013, the DFS surveyed 150 regulated banking organizations concerning cybersecurity programs, costs and future plans and then followed up by surveying 43 insurance companies about their cybersecurity programs. Findings were published in 2014 and 2015. In November 2015, the DFS wrote to various federal agencies with oversight over financial institutions, informing them that there was a demonstrated need for robust regulatory action in the cybersecurity space and that the DFS was working on a regulation to increase cybersecurity defenses within the financial sector. The DFS outlined what it expected its regulation would require.
Meanwhile, in 2015, the National Association of Insurance Commissioners (NAIC) formed a Cybersecurity Task Force that has been working on an Insurance Data Security Model Law (Model Law). The Task Force plans to complete the Model Law by year end.
The DFS has now presented its proposal. If adopted as proposed, the NY Regulation would become effective on January 1, 2017, and entities subject to the regulation would have 180 days from this effective date to comply. A notice of proposed rulemaking (NOPR) has not yet been published in the New York State Register (the Register), but is expected to be published in the September 28 issue. A 45-day comment period starting on September 28 would end on November 12, 2016.
Summary. While the NY Regulation has many of the same features as the NAIC’s Model Law, the NY Regulation imposes far more particularized cybersecurity requirements. While the framework from the November 2015 outline was kept intact, the NY Regulation contains a number of changes and additions. Notable among them are requirements for annual risk assessments that include annual penetration testing and quarterly vulnerability assessments, specific requirements for access privileges, data retention, encryption of nonpublic information, and a requirement for vendors to provide identity protection services for customers affected by a breach caused by their negligence or willful misconduct (this is in lieu of a broad indemnity, which the DFS indicated in the framework would be required).
Key takeaways from the proposed NY Regulation include:
- Applicability to “Covered Entities”
- Protection of “Nonpublic Information” and “Information Systems”
- Cybersecurity Program
- Annual penetration testing;
- Quarterly vulnerability assessments;
- Audit trail systems;
- Limitations to access privileges;
- Personnel training and monitoring;
- Encryption of Nonpublic Information both when in transit and at rest (although a five-year phase-in period is allowed under specified circumstances);
- A written incident response plan;
- Policies and procedures for the timely destruction of Nonpublic Information that is no longer necessary for the provision of the products and services for which it was supplied; and
- Procedures to ensure that applications utilized by the Covered Entity are secure.
- Management Oversight
- Chief Information Security Officer
- Third-Party Information Security Policy
- Multi-Factor Authentication
- Reports and Notices to the DFS Superintendent