Regulations adopted by the New York Department of Financial Services (DFS) and effective March 1, 2017 broadly regulate cybersecurity within the financial services industry. See 23 NYCRR 500.1 et seq. The DFS regulations are the first to apply to financial institutions and others that conduct business in the state of New York. The New York regulations exceed the reach of any other state cybersecurity regulatory scheme and apply not only to insurance companies, but to banks and companies that do business in New York. “Covered Entities” are required to assess their cyber risks, implement a comprehensive, written cybersecurity program (which must be available upon request for review by the superintendent of DFS), as well as manage the cyber risks of their third-party vendors, and certify compliance annually, among other requirements. While third-party vendor requirements are not required to be implemented until March 1, 2019, reference to such procedures should be included in a Covered Entities’ cybersecurity program, due to be adopted by a Covered Entity as of August 28, 2017. Perhaps the most startling aspect of the New York cyber regulations is accountability of the Board of Directors for each Covered Entity. The law holds company board members personally liable for the annual compliance certification.
The regulations require that all Covered Entities:
- conduct a risk assessment considering both internal and external influences, and document the results of that risk assessment;
- establish a risk-based cybersecurity program and adopt a written cybersecurity policy;
- designate a qualified Cybersecurity Information Security Officer (“CISO”);
- implement written third-party cybersecurity policies;
- establish a written incident response plan;
- notify the Superintendent of DFS of any cyber events within 72 hours;
- submit an annual certification of compliance.
Whether or not covered persons are prepared to satisfy these requirements, the regulations specifically require compliance as of today, August 28, 2017, with respect to the following:
- Cybersecurity program (23 NYCRR 500.02);
- Cybersecurity policy (23 NYCRR 500.03);
- Appointment of a CISO (23 NYCRR 500.04);
- Address access privileges to the Covered Entities’ Information Systems and confidential data (23 NYCRR 500.07);
- The CISO must designate personnel within the Covered Entity to address various aspects of the Covered Entity’s cybersecurity and confidentiality (23 NYCRR 500.10);
- The Covered Entity must formulate and adopt an incident response plan for cybersecurity events (23 NYCRR 500.16);
- A Covered Entity is required to notify the Superintendent of cybersecurity events, as well as to prepare an annual assessment (23 NYCRR 500.17).
If a Covered Entity seeks exemption from application of New York’s cybersecurity regulations as of August 28, 2017, a notice of exemption must be filed on or before September 27, 2017 pursuant to 23 NYCRR 500.19(e).
Now that August 28th is here, Covered Entities should focus on what is ahead:
- On February 15, 2018, Covered Entities are required to submit their first certification of compliance pursuant to 23 NYCRR 500.17(b);
- On March 1, 2018, the CISO will make its first report to DFS;
- Penetration testing and vulnerability assessments must be in place;
- A risk assessment program must be developed and implemented;
- Multi-factor authentication to limit access to a Covered Entities’ systems and verify legitimate users will be required;
- By March 1, 2018, 23 NYCRR 500.14(b) requires cyber awareness training.
While other security measures are mandated by September 3, 2018, the final compliance date, March 1, 2019, is the date by which covered persons must have third-party service providers’ security policies in place. To assure compliance, companies should begin developing those procedures and, if necessary, should engage an outside cybersecurity consultant to assist in their preparation.