Transitional Period for New York DFS Legislation Requirements Ends Today
- August 28, 2017
- Lee Kirschbaum
Today, August 28, is a major milestone in the fight against cybercrime in the financial services industry. It marks the end of a 180-day transitional period for the approximately 4,000 regulated financial services and insurance companies operating in New York to comply with the New York Department of Financial Services’ Cyber Security Requirements (23 NYCRR 500).
The New York State Department of Financial Services (“DFS”) has been a pioneer in creating programs to address cyber threats posed to information and financial systems by nation-states, terrorist organizations and independent criminal actors. The “first-in-the-nation” regulations going into effect today require financial services organizations to develop and maintain robust cybersecurity programs to better secure consumer data and preserve the overall health of the financial services industry.
Provisions of the new regulations include:
- Controls relating to the governance of a cyber security program
- Risk based standards including access controls and encryption
- Response plans to breaches
- Notification to the state within 72 hours of when data breaches occur
- Annual certifications of compliance to DFS
- The regulations also provide certain standards for each third-party service provider that work with regulated firms, whether or not they are operating in New York.
NYDFS Superintendent Maria T. Vullo told Bloomberg BNA that the deadline “marks a significant milestone in protecting the financial services industry and the consumers” from rising cyberthreats.
Because there is no “comprehensive federal cybersecurity policy” in the financial services industry, Vullo said, “New York is leading the nation with strong cybersecurity regulation requiring, among other protective measures, set minimum standards of a cybersecurity program based on the risk assessment of the entity, personnel, training and controls in place in order to protect data and information systems.”
The requirements for the regulation that must be complied with by today include:
- Cybersecurity Program (500.02): Licensees are required to have a written cybersecurity program in place that is designed to protect the confidentiality, integrity, and availability of the licensee’s information systems (the “Cybersecurity Program”)
- Cybersecurity Policy (500.03): Implement and maintain a written policy or policies, approved by a Senior Officer or the Covered Entity’s board of directors (or an appropriate committee thereof) or equivalent governing body, setting forth the Covered Entity’s policies and procedures for the protection of its Information Systems and Nonpublic Information stored on those Information Systems. The cybersecurity policy shall be based on the Covered Entity’s Risk Assessment.
- Chief Information Security Officer (CISO) (500.04(a)): Designate a qualified individual responsible for overseeing and implementing the Covered Entity’s cybersecurity program and enforcing its cybersecurity policy (for purposes of this Part, “Chief Information Security Officer” or “CISO”)
- Access Privileges (500.07): Limit user access privileges to Information Systems that provide access to Nonpublic Information and shall periodically review such access privileges
- Cybersecurity Personnel (500.10): Utilize qualified cybersecurity personnel, provided with sufficient training
- Incident Response Plan (500.16): Establish a written incident response plan designed to promptly respond to, and recover from, any Cybersecurity Event materially affecting the confidentiality, integrity or availability of the Covered Entity’s Information Systems or the continuing functionality of any aspect of the Covered Entity’s business or operations
- Notice of Cybersecurity Event (500.17(a)): Notify the superintendent as promptly as possible but in no event later than 72 hours from a determination that a Cybersecurity Event has occurred
Additional transitional periods are in effect for the following sections
- One year to comply with: 500.04(b), 500.05, 500.09, 500.12, and 500.14(b)
- Eighteen months to comply with: 500.06, 500.08, 500.13, 500.14 (a) and 500.15
- Two years to comply with: 500.11, covering third parties
While the DFS regulations apply to New York, their impact is expected to be far-reaching. Many of the financial services firms covered are global with either operations in the state or are third parties supporting the covered entity.
In addition, the requirements for 72-hour notice of any data breach, even a suspected one, and the obligation to appoint a CISO are precedent-setting and we expect to see them outside financial services.
The longer-term regulations put third parties in scope in section 500.11, requiring a covered entity to develop and implement written policies and procedures designed to ensure the security of the Covered Entity’s Information Systems and Nonpublic Information that are accessible to, or held by, Third Party Service Providers. This includes completing risk assessments of third party service providers, minimum cybersecurity practices to be met by the third party, due diligence to evaluate the adequacy of cyber security practices of a third party, and periodic assessments of the third party.
We’ll be watching the unfolding DFS legislation with interest, as it’s an important blueprint for information security rsk management overall – and as it expands to encompass third parties, it will require considerable preparation, starting with assessment and identification of third parties. Please contact us if you need help discussing or addressing your needs.