NY Department of Financial Services Cybersecurity Regulations: An Update
The new DFS rules apply to all entities under its jurisdiction, including insurance companies, insurance agents, banks, charitable foundations, consumer lenders, mortgage brokers, holding companies and premium finance agencies.
June 28, 2018 at 02:30 PM
9 minute read
The New York State Department of Financial Services has promulgated 17 new cybersecurity regulations which apply to regulated entities doing business in New York. The new DFS rules apply to all entities under its jurisdiction, including insurance companies, insurance agents, banks, charitable foundations, consumer lenders, mortgage brokers, holding companies and premium finance agencies. These regulations require encryption of all non-public information held or transmitted by the covered entity, require each regulated company to promulgate a written cybersecurity program, and appoint a chief information security officer (“CISO”), who must report directly to the board of directors and issue an annual report, setting forth an assessment of the company's cybersecurity compliance and any identifiable risks for potential breaches. See New York 23 NYCRR Section 501 et. sec.. The purpose of the new regulations is to enhance data security, and to prepare for and prevent cybersecurity attacks against financial institutions that hold confidential customer information. According its preamble, “this regulation is designed to promote the protection of customer information as well as the information technology systems of regulated entities.” With the possible exception of Massachusetts, which implemented a wide-reaching cybersecurity law in 2010, the DFS regulations are the first in the nation to require specific state-wide cybersecurity measures for an entire industry. Given New York's status as a financial center, the DFS regulations are expected to have wide-ranging effects and influence insurance and financial services practices throughout the country. The DFS rules require each covered company to establish a comprehensive written cybersecurity policy addressing specific areas, including information security, data governance and classification, a business continuity and disaster recovery plan, systems operations and availability concerns, network security, customer data privacy, risk assessment, and related topics. The written cybersecurity policy should also contain a proposed plan of response to a potential data breach or other cyber-event, which must be reviewed and approved by the board of directors and chief executive on an annual basis. As a practical matter, compliance with the new regulations imposes some hurdles. In the first instance, determining the compliance dates of the regulations is not a simple matter. The implementation dates of these regulations are staggered: Some regulations went into effect in 2017, others became active on March 1, 2018, and still others are being implemented on September 1, 2018. The final regulation, which requires registrants to attest to the cybersecurity practices and policies of their third-party vendors, goes into effect on March 1, 2019. Registrants that have missed the March 2018 deadline for filing a cybersecurity plan with DFS may have received a notice of non-compliance, warning them that they should file their plans, and get to work on preparing for cybersecurity compliance. While at the time of writing, the authors have not seen any major enforcement actions by DFS, this is likely to change in the not-too-distant future. The 17 regulations, and their compliance dates, can be summarized as follows:
Regulation No. | Regulation | Effective Date |
500.2 | Cybersecurity Program to be maintained | March 1, 2017 |
500.3 | Written Cybersecurity Policy Approved by Senior Officer or board; may be affiliate program | March 1, 2017 |
500.4 | Chief Information Security Officer Must Be Appointed; Can be Affiliate or Outside Contractor | March 1, 2018 |
500.5 | Penetration testing or Continuous Monitoring | March 1, 2018 |
500.6 | Audit Trail: maintain financial and other information for two to five years | September 1, 2018 |
500.7 | Limit and Review Access Privileges | March 1, 2017 |
500.8 | Application Security: Written Procedures for In-house Applications | September 1, 2018 |
500.9 | Periodic Risk Assessments in accordance with written policies | March 1, 2018 |
500.10 | Use, Hiring and training of Qualified Cyber Security Personnel | March 1, 2017 |
500.11 | Third Party Providers: Written Policy and Procedure | March 1, 2019 |
500.12 | Multifactor Authentication for accessing data from an external network | March 1, 2018 |
500.13 | Limitations on Data Retention: can't maintain unnecessary data | September 1, 2018 |
500.14 | Training and Monitoring authorized users | 9/1/18 (section a)3/1/18 (section b) |
500.15 | Encryption of Non-Public Information | September 1, 2018 |
500.16 | Written Incident Response Plan | March 1, 2017 |
500.17 | Notice to Superintendent of Cybersecurity Events | March 1, 2017 |
500.18 | Maintain Confidentiality of Non-Public Information | March 1, 2017 |
Limited partial exemptions are available for a number of regulated entities. For example, a smaller registrant with fewer than 10 employees, less than $5 million in gross revenue (including affiliates) from business in New York, or less than $10 million in total assets (including affiliates) is exempt from nine of the 17 regulatory requirements, including the need to appoint a chief information security officer, maintain an audit trail, use and hire qualified cybersecurity staff, implement multi-factor authentication, encryption or a written incident response plan. A partially exempt registrant must still file a notice of exemption and comply with the remaining regulations. A different limited exemption is available for a risk retention group that is licensed under New York Insurance Law Section 5904, as well as a charitable annuity or a reinsurer. There is also an exemption for registrants that do not use or access non-public information. While employees of covered entities are themselves considered covered entities under the rules, these individuals are exempt from compliance and need not develop their own cybersecurity programs to the extent they are covered by the cybersecurity programs of their employer. In addition, covered entities that do not operate, maintain or control information systems and do not receive non-public information are exempt from 12 of the 17 specified requirements of the regulations. Non-public information is defined as business information of the covered entity, including, presumably trade secrets, personal identifying information about an individual, and any information or data regarding medical or health care treatment of an individual. A registrant's cybersecurity program should comply with the 17 requirements of the DFS regulations. These are summarized as followed, bearing in mind that the actual text of the regulations contains additional details. The registrant should:
- Maintain a cybersecurity program; This may be adopted from an affiliate, and should detect and prevent cybersecurity risks, and use defensive infrastructure.
- Prepare a written cybersecurity policy approved by a senior officer or the board. This policy should meet 14 factors outlined in the regulations. The factors include information security, data governance and classification, asset inventory and device management, access controls, business continuity and disaster recovery planning. They also include systems operations; systems and network security; systems and network monitoring; systems and application development and quality assurance; physical security and environmental controls; customer data privacy; vendor and third party service provider management; risk assessment and incident response.
- Designate a Chief Information Security Officer, who should maintain cybersecurity policies and procedures and issue an annual written report to the board of directors about the firm's cybersecurity program and any lapses. The CISO may be an independent contractor or work for an affiliate.
- Engage in penetration testing by continuous monitoring or by annual testing, as well as biannual vulnerability assessments.
- Maintain an audit trail designed to reconstruct material financial transactions and designed to detect and respond to cybersecurity events.
- Limit and periodically review access privileges.
- Engage in periodic risk assessments designed to anticipate potential cybersecurity threats.
- Use and train qualified cybersecurity personnel.
- Institute written guidelines for maintaining the security of internal and external applications used by the company.
- Prepare a written policy and procedure for third-party providers' data security, including risk assessment; minimum cybersecurity practices; periodic assessment of cyber-risk provided by third party providers; guidelines for due diligence; third parties' use of encryption and related issues.
- Prepare written limitations on data retention.
- Multi-factor authentication for any person accessing the company's internal networks from an external network.
- Encryption of nonpublic information, to the extent feasible.
- Training and monitoring of company personnel regarding cybersecurity.
- Preparation of a written incident response plan, including internal roles, goals, remediation, etc.
- Include notice to the superintendent in the event of a data breach.
- Maintain the confidentiality of non-public information.
Conclusion
The New York DFS cybersecurity regulations are being implemented on a staggered schedule, with additional compliance dates scheduled for September 2018 and March 1, 2019. The requirements of the DFS regulations should be noted not only by registrants, but also by vendors who do business with them. Registrants should act diligently to ensure their compliance with DFS cybersecurity requirements. Cybertechnology experts are expecting enforcement action from the DFS, and no company wants to be the first case.
This content has been archived. It is available through our partners, LexisNexis® and Bloomberg Law.
To view this content, please continue to their sites.
Not a Lexis Subscriber?
Subscribe Now
Not a Bloomberg Law Subscriber?
Subscribe Now
NOT FOR REPRINT
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.
You Might Like
View All'So Many Firms' Have Yet to Announce Associate Bonuses, Underlining Big Law's Uneven Approach
5 minute readTik Tok’s ‘Blackout Challenge’ Confronts the Limits of CDA Section 230 Immunity
6 minute readEnemy of the State: Foreign Sovereign Immunity and Criminal Prosecutions after ‘Halkbank’
10 minute readGovernment Attorneys Are Flooding the Job Market, But Is There Room in Big Law?
4 minute readTrending Stories
- 1Call for Nominations: Elite Trial Lawyers 2025
- 2Senate Judiciary Dems Release Report on Supreme Court Ethics
- 3Senate Confirms Last 2 of Biden's California Judicial Nominees
- 4Morrison & Foerster Doles Out Year-End and Special Bonuses, Raises Base Compensation for Associates
- 5Tom Girardi to Surrender to Federal Authorities on Jan. 7
Who Got The Work
Michael G. Bongiorno, Andrew Scott Dulberg and Elizabeth E. Driscoll from Wilmer Cutler Pickering Hale and Dorr have stepped in to represent Symbotic Inc., an A.I.-enabled technology platform that focuses on increasing supply chain efficiency, and other defendants in a pending shareholder derivative lawsuit. The case, filed Oct. 2 in Massachusetts District Court by the Brown Law Firm on behalf of Stephen Austen, accuses certain officers and directors of misleading investors in regard to Symbotic's potential for margin growth by failing to disclose that the company was not equipped to timely deploy its systems or manage expenses through project delays. The case, assigned to U.S. District Judge Nathaniel M. Gorton, is 1:24-cv-12522, Austen v. Cohen et al.
Who Got The Work
Edmund Polubinski and Marie Killmond of Davis Polk & Wardwell have entered appearances for data platform software development company MongoDB and other defendants in a pending shareholder derivative lawsuit. The action, filed Oct. 7 in New York Southern District Court by the Brown Law Firm, accuses the company's directors and/or officers of falsely expressing confidence in the company’s restructuring of its sales incentive plan and downplaying the severity of decreases in its upfront commitments. The case is 1:24-cv-07594, Roy v. Ittycheria et al.
Who Got The Work
Amy O. Bruchs and Kurt F. Ellison of Michael Best & Friedrich have entered appearances for Epic Systems Corp. in a pending employment discrimination lawsuit. The suit was filed Sept. 7 in Wisconsin Western District Court by Levine Eisberner LLC and Siri & Glimstad on behalf of a project manager who claims that he was wrongfully terminated after applying for a religious exemption to the defendant's COVID-19 vaccine mandate. The case, assigned to U.S. Magistrate Judge Anita Marie Boor, is 3:24-cv-00630, Secker, Nathan v. Epic Systems Corporation.
Who Got The Work
David X. Sullivan, Thomas J. Finn and Gregory A. Hall from McCarter & English have entered appearances for Sunrun Installation Services in a pending civil rights lawsuit. The complaint was filed Sept. 4 in Connecticut District Court by attorney Robert M. Berke on behalf of former employee George Edward Steins, who was arrested and charged with employing an unregistered home improvement salesperson. The complaint alleges that had Sunrun informed the Connecticut Department of Consumer Protection that the plaintiff's employment had ended in 2017 and that he no longer held Sunrun's home improvement contractor license, he would not have been hit with charges, which were dismissed in May 2024. The case, assigned to U.S. District Judge Jeffrey A. Meyer, is 3:24-cv-01423, Steins v. Sunrun, Inc. et al.
Who Got The Work
Greenberg Traurig shareholder Joshua L. Raskin has entered an appearance for boohoo.com UK Ltd. in a pending patent infringement lawsuit. The suit, filed Sept. 3 in Texas Eastern District Court by Rozier Hardt McDonough on behalf of Alto Dynamics, asserts five patents related to an online shopping platform. The case, assigned to U.S. District Judge Rodney Gilstrap, is 2:24-cv-00719, Alto Dynamics, LLC v. boohoo.com UK Limited.