New York DFS Finalizes ‘First-in-the-Nation’ Cybersecurity Regulations for Financial Services Industry

On February 16, 2017, the New York Department of Financial Services (DFS) released its final self-described “first-in-the-nation”cybersecurity regulations (the Rules). The Rules become effective March 1, 2017, but will be phased in on a staggered basis beginning 180 days after the effective date. Proposed cybersecurity regulations were initially released on September 13, 2016 to become effective January 1, 2017, but on December 28, 2016, the DFS delayed the effective date and simultaneously issued a revised proposal. Morgan Lewis submitted comment letters recommending several modifications to both the initial proposal and the revised proposal.

Although the DFS did take comments into account in initial revisions, the Rules still raise important operational, compliance, and risk management concerns for financial institutions, financial services companies, insurance firms, and other DFS-regulated entities (Covered Entities). The Rules have only minimal changes from the revised proposal, aside from certain changes made to the exemptive provisions, in particular with regard to Covered Entities that are insurance enterprises.

Under the Rules, Covered Entities will be required to establish and maintain cybersecurity programs designed to perform the following functions:

• Identify internal and external cyber risks

• Use defensive infrastructure and implement policies and procedures to protect the Covered Entity’s information systems and nonpublic information stored on such systems from unauthorized access or use and other malicious acts

• Detect Cybersecurity Events (as defined in the Rules)

• Respond to identified or detected Cybersecurity Events to mitigate any adverse effects

• Recover from Cybersecurity Events

• Fulfill all regulatory reporting obligations

The Rules also mandate the following:

• Periodic penetration testing and vulnerability assessment

• Audit trail requirements

• Employee training

• Encryption of nonpublic information

• Third-party service providers security policy

• Identification of a Chief Information Security Officer (CISO) to oversee, implement, and provide board reporting regarding the cybersecurity program

• Data retention and monitoring procedures

• A strict 72-hour notification standard that requires Covered Entities to report Cybersecurity Events in broad-ranging circumstances, such as unauthorized attempts to access a Covered Entity’s systems

• Establishment of an incident response plan

Each Covered Entity is required to submit a certification stipulating that its board of directors or designated senior official has reviewed reports and other documentation and that, to the best of the board’s or official’s knowledge, the cybersecurity program complies with the Rules.

Each Covered Entity will have the flexibility to perform a risk assessment on which many of the other requirements are based, thereby limiting certain requirements. The Rules will apply irrespective of whether the Covered Entity already adheres to cybersecurity regulations imposed at the federal or state level, but the Rules do contain exemptions from compliance with certain rules therein for “small” Covered Entities and various insurance entities.

The majority of the Rules become effective March 1, 2017, with a 180-day grace period as well as several transition periods for certain requirements. For example, Covered Entities will be required to submit their certifications of compliance as of February 15, 2018, and will have:

• one year from the effective date to comply with the CISO reporting requirement, penetration testing and vulnerability assessment, risk assessment, multifactor authentication, and cybersecurity awareness training;

• 18 months to comply with the audit trail, application security, limitations on data retention, monitoring procedures, and encryption of nonpublic information; and

• two years to comply with the third-party service providers security policy.

Given the short amount of time before the Rules take effect, and the relatively short transition periods, Covered Entities should begin taking the necessary steps to comply with the Rules’ major requirements.