NY's Cybersecurity Rules for Banks, Insurers, Financial Services

The New York Department of Financial Services’ new ­cybersecurity rules applicable to banks, insurance ­companies and other financial services companies, 23 NYCRR 500, went into effect on March 1. While most states have some form of data breach notification ­standards, and some states have security standards generally applicable to personal data, these are the first state-mandated cybersecurity ­regulations applicable to ­specific industries. The federal government has had industry specific requirements in place for some time, most notably in health care under HIPAA and HITECH, and for banks and other financial services companies under Gramm-Leach-Bliley. The N.Y. cyber rules while similar in many respects to existing federal regulations are more specific in certain key aspects and include mandates for companies to have a chief information security officer (CISO) and for top level executives to review and certify compliance with the new rules on an annual basis. These requirements have already fueled speculation that one of the biggest impacts of the rules will be heightened ­litigation in the wake of a cyberincident based on the certifications of executives regarding a company’s ­cybersecurity practices.

The rules apply to “covered entities,” which are defined to include any person operating under or required to operate under a license, registration, charter or similar authorization under New York’s Banking, Insurance or Financial Services Laws. (As used herein terms are specifically defined in section 500.01.) The N.Y. cyber rules impose a number of requirements on ­covered entities including: maintaining a cybersecurity program (500.02); maintenance of a written policy or policies detailing the steps to be taken to protect information systems (500.03); designation of a CISO who is to provide at least annual reports to the board of directors or equivalent governing body (500.04); to conduct periodic penetration testing and vulnerability assessments (500.05); the ability to reconstruct material financial transactions and maintenance of audit trails designed to detect and respond to cybersecurity events (500.06); limitation of access to nonpublic information (500.07); specific guidelines for the creation of in-house developed applications and evaluation of externally created applications (500.08); conduct periodic risk assessments sufficient to enable the creation of a cybersecurity program required under the NY Cyber Rules (500.09); utilize qualified cybersecurity personnel to perform or oversee the performance of core cybersecurity ­functions (500.10); implement written policies and procedures for interaction with third party service providers (500.11); utilization of multi-factor and risk based authentication (500.12); limitations on data retention (500.13); monitoring activity by authorized users to develop risk-based ­controls to prevent unauthorized use or access by such users and regular ­cybersecurity awareness training for all personnel that is updated to reflect risks identified in the risk assessment (500.14); encryption of nonpublic information in transit over external networks and at rest (500.15); establish written incident response plan (500.16); and, notice to the superintendent within 72 hours of determining that a cybersecurity event occurred and annual ­certification of ­compliance to the superintendent (500.17). Other key aspects of the rules ­include the ability of affiliates to utilize a single cybersecurity program. There are also certain exceptions including for ­covered entities with less than 10 employees including independent contractors, less than $5 million in gross annual revenue for each of the last three years, or less than $10 million in year-end total assets from the requirements of Sections 500.04, 500.05, 500.06, 500.08, 500.10, 500.12, 500.14, 500.15, and 500.16. Also, employees, agents, representatives or designees of a covered entity that are covered entities themselves are exempt to the extent they are covered by the covered entity’s cybersecurity program. Exempted covered entities must file a notice of exemption annually, and have 180 days from the end of its ­fiscal year in which it no longer qualifies for ­exemption to comply with the requirements.