New York's Cyber Regulation Two Years Later: We've Only Just Begun
The conclusion of the “transitional period” for New York's cybersecurity regulation marks the beginning, rather than the end, of an organization's compliance efforts.
April 03, 2019 at 02:30 PM
8 minute read
The original version of this story was published on New York Law Journal
Financial institutions regulated by New York's Department of Financial Services (DFS) can breathe a sigh of relief, at least temporarily. Two years after DFS's “Cybersecurity Requirements for Financial Institutions” took effect, and more than three years after the cybersecurity regulation was announced, the final provision of the law became effective on March 1 of this year.
But the celebrations must be short. DFS got it right when describing its then-new regulation as the “first in the nation.” Like the federal Sarbanes-Oxley Act of 2002, financial institutions will have to certify annually that their internal controls and cybersecurity practices remain up to snuff. And now that the transitional periods for implementing the cyber regulation have passed, covered institutions will need to certify that they have complied with each provision.
Some of those requirements are one-off. For example, §500.04 required each covered entity to “designate” a Chief Information Security Officer or CISO. And §500.16 required companies to establish an Incident Response Plan. Absent changes at the company or a need to update compliance, covered entities will not have much to do on a day-to-day basis when it comes to these two requirements.
But those one-time provisions are the exception. For the rest of the regulation, covered entities will need to check (and then re-check) their cybersecurity controls, policies and practices in order to remain in compliance.
The regulation's ongoing obligations can be broken into three categories—provisions that: (1) have set deadlines; (2) mandate “periodic” action; and (3) require near-constant attention.
|Set Deadlines
There are a handful of provisions that require companies to take action on a predictable and regular basis:
• Vulnerability Assessments: Section 500.05(b) requires, for those companies that do not perform continuous monitoring on their network, to conduct “bi-annual vulnerability assessments, including systematic scans or reviews of Information Systems.” Under the regulation, “Information Systems” means a company's information technology environment including its network.
• Penetration Testing: §500.05(a) requires, again for those companies that do not use continuous monitoring, the performance of annual penetration testing.
• CISO Report: §500.04(b) requires the CISO, “at least annually,” to provide a written report to the organization's board of directors or equivalent governing body, covering a variety of topics that are spelled out in the regulation.
• Encryption Alternatives: §500.15(b) requires, for those companies employing alternative compensating controls instead of encryption, the CISO to consider annually “the feasibility of encryption and effectiveness of the compensating controls.”
• Compliance Certification: As most covered entities should know by now, annually each company must submit a certificate of compliance to DFS attesting to the organization's compliance with the regulation for the past fiscal year.
• Exemption Certification: Although the text of the regulation does not require companies qualifying for a limited or complete exemption to “re-file” their exemption, according to DFS's website, companies must re-file their notice of exemption every two years.
|Periodic Obligations
Several of the regulation's provisions require “periodic” review and action. To date, DFS has yet to define what “periodic” means, and it's unlikely that the agency will do so. As the previous examples demonstrate, when DFS wants to set hard-and-fast deadlines, it knows exactly what to do. Accordingly, companies will need to use their own judgment to decide when to take action based on their own circumstances, risk profile and on a provision-by-provision basis.
• Risk Assessment: For companies that conducted their first risk assessment in 2018 to comply with §500.09, more work is likely on the horizon. The regulation requires companies to conduct “a periodic” risk assessment. At a minimum, institutions should update their risk assessment in response to changes to their information security systems or data security environment, which could include various scenarios such as migrating to the cloud, launching a public-facing website, or merging with a new company.
But the risk assessment itself is only half of the equation. Many of the regulation's requirements are keyed off of the risk assessment: §500.03's policy obligations, §500.06's audit trail requirements, and §500.15's encryption mandates—just to name a few—are all subject to an organization's risk assessment. When companies conduct a periodic risk assessment, they will need to carefully review and evaluate their cybersecurity program in light of whatever findings are made.
• Access Privileges: §500.07 requires that companies “periodically review … access privileges.” Access privileges, as the name suggests, determines who can access parts of a company's network, and should be monitored on a regular basis. And the “periodic” nature of the review might change depending on the scenario. For example, companies might remove user access privileges immediately for those who part ways with the company. On the other hand, a company could review (and alter as needed) the access privileges of current users on a monthly or quarterly basis.
• Data Retention: Finally, companies must “dispos[e] on a periodic basis of any Nonpublic Information” that is “no longer necessary” for “business operations or for other legitimate business purposes.” Whatever periodic timeframe an organization choses, DFS requires that it be identified in its written “policies and procedures.”
|Constant Compliance
Last, but certainly not least, are the regulatory requirements that affect an organization's day-to-day operations. These can be broken down into a handful of categories:
• Maintenance: Several provisions in the regulation require companies to “maintain” their cybersecurity environment and cybersecurity policies. First and foremost,§500.02 requires covered entities to “maintain” a “cybersecurity program designed to protect the confidentiality, integrity and availability” of their information systems. As DFS has explained in a recent memo, it expects companies to treat cyber issues as a “governance issue,” and as a result, companies would be well advised to regularly review and evaluate the effectiveness of their cybersecurity program.
The regulation uses the same verb—“maintain”—in its description of an organization's audit trail obligations. In §500.06, DFS mandates that entities must “securely maintain systems” that are “designed to reconstruct material financial transactions.” In conjunction with the retention obligation for that provision (“not fewer than five years”), the regulation appears to expect companies to continually ensure they have sufficient information to reconstruct business-critical financial transactions on a trailing five-year basis.
- Breach Notices: As companies that have suffered a data security incident—or “Cybersecurity Event”—know, §500.17 imposes an accelerated reporting deadline. No “later than 72 hours from a determination” that a qualifying event has occurred, companies must provide DFS with notice. Beating the 72-hour shot-clock requires established chains of communications between companies' IT employees and their compliance teams.
- Third-Party Service Providers. As other commentators have discussed at length, the most time-consuming and demanding provisions of the cybersecurity regulation are those governing companies' interactions with third-party vendors.
Part (a) of §500.11 could be handled in one swoop. Using their risk assessments, companies must “implement written policies and procedures” designed to ensure the security of information systems and nonpublic information accessible to third parties. Those policies must cover the identification of risk, minimum cybersecurity practices, due diligence processes and periodic assessments.
But, from there, the §500.11's obligations go outward and onward. Subsection (b) calls for “guidelines for due diligence and/or contractual protections relating to Third Party Service Providers.” This language suggests that DFS expects companies to review and evaluate their vendors and contracting parties with access to their network or sensitive information. Indeed, in response to an FAQ posted on the DFS website, the agency emphasized that covered organizations should perform “a risk assessment regarding the appropriate controls for Third Party Service Providers based on the individual facts and circumstances presented and does not create a one-size-fits-all solution.” Accordingly, for each contract in which a third party has access to a covered entity's information systems or nonpublic information, DFS expects a certain level of due diligence and “contractual protections” governing cybersecurity, subject to the organization's risk assessment process.
|Conclusion
The conclusion of the “transitional period” for New York's cybersecurity regulation marks the beginning, rather than the end, of an organization's compliance efforts. Although financial institutions might be fully compliant today, that could easily change absent ongoing diligence and monitoring.
Craig A. Newman is a partner and Kade N. Olsen is an associate at Patterson Belknap Webb & Tyler.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View AllTrending Stories
- 1Recent Decisions Regarding the Telephone Consumer Protection Act
- 2The Tech Built by Law Firms in 2024
- 3Distressed M&A: Mass Torts, Bankruptcy and Furthering the Search for Consensus: Another Purdue Decision
- 4For Safer Traffic Stops, Replace Paper Documents With ‘Contactless’ Tech
- 5As Second Trump Administration Approaches, Businesses Brace for Sweeping Changes to Immigration Policy
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.
Featured Firms
Law Offices of Gary Martin Hays & Associates, P.C.
(470) 294-1674
Law Offices of Mark E. Salomone
(857) 444-6468
Smith & Hassler
(713) 739-1250