On March 1, 2017, new cybersecurity rules went into effect for entities regulated by the New York State Department of Financial Services (DFS). The Cybersecurity Requirements for Financial Services Companies are designed to help protect business and customer information and the IT systems of the entities that DFS regulates. While the Cybersecurity Requirements took effect on March 1, regulated entities have 180 days to comply. The final requirements are available here.
Who Is Regulated?
The Cybersecurity Requirements apply to companies “operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the banking law, the insurance law or the financial services law” (“covered entities”). Covered entities include banks, savings and loans, trust companies, check cashers, credit unions, money transmitters, lenders, insurers, holding companies, investment companies, mortgage brokers, originators, and servicers, and certain other regulated types of companies doing business in New York. Smaller covered entities are exempt from certain components of the Cybersecurity Requirements, but they are required to file an exemption form with DFS.
What Information Is Regulated?
The Cybersecurity Requirements apply to electronic “nonpublic information,” which includes certain business information and personally identifiable information. Specifically, nonpublic information encompasses business-related information that, if compromised, would have a material adverse impact on the covered entity’s business, operations, or security. Nonpublic information also includes information about an individual’s identity, financial accounts, and health condition and payments, similar to many state breach notification laws.
What Are Covered Entities Required to Do?
Implement a Cybersecurity Program Based on a Risk Assessment. Under the Cybersecurity Requirements, covered entities are required to develop a cybersecurity program based on an annually updated risk management plan designed to protect data and systems, detect cyberattacks, and respond to and recover from cyberattacks to mitigate negative effects. Compliance includes implementing and maintaining a written cybersecurity policy based on risk assessments that cover at least 14 specific areas.
The Cybersecurity Requirements impose specific obligations related to improving a company’s cybersecurity posture, such as the following:
- Designate a person to perform the functions of a Chief Information Security Officer (CISO).
- Maintain in-house application development standards.
- Perform annual system/network penetration testing and bi-annual vulnerability assessments.
- Implement auditing mechanisms to help protect system and data integrity.
- Limit staff system and data access privileges, and assess whether multi-factor authentication (MFA) should be used. MFA must be used for external access to internal networks.
- Encrypt all nonpublic information both in transit over external networks and at rest. If encryption is not feasible, covered entities must implement effective alternative controls that are approved by the CISO and reviewed by the CISO at least annually.
- Dispose of nonpublic information when it is no longer necessary for a legitimate business purpose and retention is not required by applicable law.
- Provide adequate data security training to cybersecurity personnel.
- Document material improvements to the company’s systems, policies, and cybersecurity program, and make such documentation available to DFS upon request.
Assess Vendor Information Security. The Cybersecurity Requirements also require covered entities to implement written policies and procedures governing how they ensure that vendors are properly securing systems and data, including, to the extent applicable:
- Perform a risk assessment of the vendor.
- Identify the minimum cybersecurity practices required to be met by vendors.
- Evaluate the adequacy of vendors’ cybersecurity practices.
- Assess vendors’ cybersecurity practices periodically.
- Perform due diligence of vendors and contractual protections of covered entities’ information.
Provide Data and System Breach Notice to DFS. Covered entities should have a written incident response plan to meet their obligations under the Cybersecurity Requirements. The Cybersecurity Requirements call for notice to DFS within 72 hours when (1) there was an “act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an Information System or information stored on such Information System” and (2) notice is required to any other regulator or there is a reasonable likelihood of materially harming any material part of normal operations.
Senior Management Has an Active Role
Senior management is required to annually review the company’s cybersecurity policy. The CISO is also required to report, at least annually, to a covered entity’s board of directors or equivalent senior management information about the company’s cybersecurity posture. DFS may request copies of these reports at any time. Finally, the company must certify to DFS that it complies with the Cybersecurity Requirements.