The New York Department of Financial Services (NYDFS)'s "first-in-the-nation" cybersecurity regulation ("the Regulation"), 23 NYCRR 500, became effective March 1, 2017. The Regulation was designed to "promote the protection of customer information as well as the information technology systems of regulated entities." 23 NYCRR 500.00.

Although the Regulation includes some limited exemptions, even those exemptions still require entities and individuals licensed by NYDFS ("Covered Entities")—essentially, banks, insurers and other financial services firms located in and outside of New York—to implement certain cybersecurity programs and practices consistent with the Regulation, including risk assessments and controls for third-party service providers (TPSPs) under section 500.11 of the Regulation.

Earlier this year, in March 2019, the two-year implementation period for the Regulation expired, and NYDFS stressed that it expected Covered Entities to have completed a thorough due diligence process of all TPSPs by that deadline.

By now, Covered Entities should have a risk assessment-based cybersecurity program in place that addresses the minimum standards set by the Regulation, including written policies and procedures designed to protect consumers' private data that is accessed or held by TPSPs. TPSPs should have the necessary technical systems and policies in place to ensure the proper processing and protection of data provided by Covered Entities. Now, for the first time since its implementation, Covered Entities have until Feb. 15, 2020, to certify their compliance with the Regulation with respect to TPSPs, culminating arguably the most challenging stage of the process.

Most, if not all, Covered Entities use third parties to support essential aspects of their operations. These TPSPs, as defined under the Regulation, broadly include any outside service provider that "maintains, processes or otherwise is permitted access to 'Nonpublic Information'—which includes confidential 'business related' information critical to the operation and security of the Covered Entity and individual personal information, including information of non-New York residents—through its provision of services to the Covered Entity," regardless of where the TPSP is located. 23 NYCRR 500.01(n).

The TPSP rules thereby extend the reach of the Regulation far beyond entities and individuals licensed by NYDFS, and could include New Jersey companies in a range of fields so long as they are performing services for Covered Entities that give them access to Nonpublic Information. New Jersey's comparable cybersecurity legislation, introduced in 2018, which requires certain persons and business entities to maintain a comprehensive information security program, is still pending (Assembly Bill No. 1766, Senate Bill No. 2692). However, New Jersey TPSPs who are compliant with the requirements of the New York Regulation, will be well-prepared for any future cybersecurity legislation out of Trenton.

A cybersecurity program is only as strong as its weakest link and, unfortunately, in many cases that link is with TPSPs. Indeed, many recent, high-profile data breaches resulted from security vulnerabilities originating at a TPSP. Under the Regulation, Covered Entities maintain ultimate responsibility for ensuring that their confidential data is adequately protected, including that data accessible by the Covered Entity or a TPSP.

Practically speaking, the prescriptions of the Regulation extend to a litany of TPSPs ranging from payroll companies, outside IT specialists, cloud data storage services, and point-of-sale solutions providers, to accountants and outside counsel. Thus, the process of assessing the adequacy of TPSPs' cybersecurity policies, implementing new preventative measures and procedures to ensure compliance, and engaging in requisite contractual reviews and revisions for the potentially numerous TPSPs, has been a substantial undertaking for all parties involved.

Challenge to Covered Entities

Under section 500.11 of the Regulation, all Covered Entities must identify and assess potential risks associated with their use of TPSPs and implement written policies and procedures designed to ensure the security of information that is accessible to or held by TPSPs. TPSPs are broadly defined as "any individual or non-government entity" that is "not affiliated with a Covered Entity, provides services to a Covered Entity, and maintains, processes or otherwise is permitted access to nonpublic information through its provision of services to the Covered Entity." Although the Regulation emphasizes the importance of a thorough due diligence process on TPSPs, neither the Regulation nor the NYDFS has provided Covered Entities with any specific guidelines for that due diligence requirement. Rather, NYDFS has emphasized that the due diligence process be "thorough" and "based on individual facts and circumstances." NYDFS has made clear that the Regulation "does not create a one-size-fits-all solution." https://www.dfs.ny.gov/industry_guidance/cyber_faqs. Therefore, broadly speaking, a Covered Entity is required to conduct due diligence on each of its TPSPs, evaluate each TPSP's cybersecurity practices, assess the risks each TPSP poses to the Covered Entity's data and systems and require prescriptive cybersecurity requirements for each TPSP that adequately address those risks.

However, despite the NYDFS's guidance, Covered Entities may find that a one-size-fits-all solution—that employs high, uniform cybersecurity standards—is the most time- and cost-effective approach to dealing with multiple TPSPs. Depending on the number of TPSPs involved, the difficulty of developing a thorough due-diligence process and cybersecurity protocols for every different TPSP or category of TPSP on a case-by-case basis—along with the requisite contractual revisions—could be prohibitive. Rather, requiring TPSPs to adopt standardized and uniformly higher cybersecurity controls would be a more cost-efficient solution that serves to future-proof the process as other states and the federal government work to implement their own cybersecurity or data privacy legislation. The Covered Entity may also seek to comply with the Regulation by limiting or eliminating TPSP access to certain data and systems or by using fewer TPSPs capable of absorbing the costs inherent with the heightened, prescribed cybersecurity controls.

Shared and Shifting Burdens

In this environment, TPSPs face substantial challenges. Again, the most conservative course for Covered Entities is to simply require broad, uniform, cybersecurity protections from all their TPSPs or to certain types of TPSPs, without individualized exceptions. In an effort to comply, TPSPs may need to employ specialists and counsel to assess the effectiveness of their existing cybersecurity programs and controls. Meanwhile, TPSPs may train their internal administrative and IT staff to address risk assessments and audits from Covered Entities.

Moreover, given that different Covered Entities may set different requirements based on their interpretation of the Regulation, TPSPs may find themselves forced to adopt the most stringent requirements across the board, just to satisfy a single client. TPSPs must decide whether to attempt to negotiate contractual requirements and the applicability of requested controls or accept higher, mandated cybersecurity requirements, as the cost of doing business.

Some of the specific controls, whether or not required by the Regulation, may include:

• Access Controls and Encryption: Covered Entities will require TPSPs to implement stricter access controls on covered data, along with requiring multi-factor authentication for accessing data remotely. TPSPs may also be required to ensure encryption of the Covered Entities' data both in transit over external networks and while stored "at rest" on the TPSPs' systems.
• Event Reporting Protocols: Covered Entities will require TPSP to have effective incident response protocols and require the response protocols to be tailored to specific security events and with express timetables.
• Periodic Security Audits and Assessments: Covered Entities will require TPSPs to provide periodic access to their systems and to submit to external auditors to conduct onsite security, vulnerability, and data recovery testing.
• Enhanced Records Management: Covered Entities may require TPSPs to periodically dispose of data and require them to have consistent records management and destruction polices.
• Cybersecurity Insurance Coverage: TPSPs may be requested to maintain some degree of cybersecurity insurance coverage, at their own expense, to insure against losses to the Covered Entity resulting from a data security event.
• Enhanced Cybersecurity Training: Covered Entities may require employees and management of the TPSPs to take specific cybersecurity and breach mitigation training programs.
• Industry Standards and Certifications: Covered Entities will require TPSPs to deploy cybersecurity programs that conform with recognized industry and international standards, such as the National Institute of Standards and Technology (NIST) cybersecurity framework and the ISO/IEC 27001 standards for information security management systems. Covered Entities may also require TPSPs to obtain ISO certification through an independent accreditation process.

New Jersey's Pending Cybersecurity Legislation

Although Cybersecurity is a growing concern in New Jersey and the state has attempted to pass legislation designed to address the issues through various initiatives, it has not passed legislation that requires businesses to implement specific types of information security practices. However, pending legislation introduced in 2018, Assembly Bill No. 1766 / Senate Bill No. 2692, would require every person, corporation, association, partnership or other legal entity, that owns or licenses personal information about a New Jersey resident (both consumer and employee information) to develop, implement and maintain a comprehensive, written information security program which provides administrative, technical and physical safeguards that are reasonably appropriate to protect that personal information.

At first glance, the New Jersey bill is broader in scope than New York's Regulation because it applies to all persons or businesses in the state, but it does not contain many of the prescriptive controls in the Regulation and is narrower in terms of the type of information sought to be secured. For instance, the New Jersey bill seeks primarily to protect the personal identifying information of its residents, whereas the New York Regulation covers "non-public" information including both confidential business-related information and individual personal information, regardless of where the individuals reside.

Covered Entities and TPSPs located in New Jersey who have committed the necessary resources and implemented cybersecurity programs and controls in compliance with the Regulation, will be well prepared for any future cybersecurity legislation in New Jersey.

Conclusion

Covered Entities bear the continued responsibility for thoroughly evaluating their relationships with their TPSPs in order to ensure that they are in full compliance with the provisions of the Regulation. For many Covered Entities, the required due diligence and assessment process for TPSPs has been and will continue to be a substantial undertaking.

To ensure broad compliance with the requirements of the Regulation, as well as other and future cybersecurity and privacy regulations, some Covered Entities will seek uniformly stricter standards for their TPSPs. These are reasonable steps to ensure compliance with the Regulation and to mitigate the risk of data breaches stemming from TPSPs but may increase the costs of compliance running downstream. With the final piece of the two-year implementation phase of the Regulation coming due in March 2020, anticipate enforcement to begin in earnest.

Given the weak point in any cybersecurity program historically rests with TPSPs, one can expect NYDFS to scrutinize compliance with section 500.11.

David Butler is co-chair of the E-Discovery and Cybersecurity practice group at Bressler, Amery & Ross in Florham Park.