January 23, 2018

January 23, 2018

Subscribe to Latest Legal News and Analysis

January 22, 2018

Subscribe to Latest Legal News and Analysis

New York DFS Finalizes ‘First-in-the-Nation’ Cybersecurity Regulations for Financial Services Industry

On February 16, 2017, the New York Department of Financial Services (DFS) released its final self-described “first-in-the-nation”cybersecurity regulations (the Rules). The Rules become effective March 1, 2017, but will be phased in on a staggered basis beginning 180 days after the effective date. Proposed cybersecurity regulations were initially released on September 13, 2016 to become effective January 1, 2017, but on December 28, 2016, the DFS delayed the effective date and simultaneously issued a revised proposal. Morgan Lewis submitted comment letters recommending several modifications to both the initial proposal and the revised proposal.

Although the DFS did take comments into account in initial revisions, the Rules still raise important operational, compliance, and risk management concerns for financial institutions, financial services companies, insurance firms, and other DFS-regulated entities (Covered Entities). The Rules have only minimal changes from the revised proposal, aside from certain changes made to the exemptive provisions, in particular with regard to Covered Entities that are insurance enterprises.

Under the Rules, Covered Entities will be required to establish and maintain cybersecurity programs designed to perform the following functions:

  • Identify internal and external cyber risks

  • Use defensive infrastructure and implement policies and procedures to protect the Covered Entity’s information systems and nonpublic information stored on such systems from unauthorized access or use and other malicious acts

  • Detect Cybersecurity Events (as defined in the Rules)

  • Respond to identified or detected Cybersecurity Events to mitigate any adverse effects

  • Recover from Cybersecurity Events

  • Fulfill all regulatory reporting obligations

The Rules also mandate the following:

  • Periodic penetration testing and vulnerability assessment

  • Audit trail requirements

  • Employee training

  • Encryption of nonpublic information

  • Third-party service providers security policy

  • Identification of a Chief Information Security Officer (CISO) to oversee, implement, and provide board reporting regarding the cybersecurity program

  • Data retention and monitoring procedures

  • A strict 72-hour notification standard that requires Covered Entities to report Cybersecurity Events in broad-ranging circumstances, such as unauthorized attempts to access a Covered Entity’s systems

  • Establishment of an incident response plan

Each Covered Entity is required to submit a certification stipulating that its board of directors or designated senior official has reviewed reports and other documentation and that, to the best of the board’s or official’s knowledge, the cybersecurity program complies with the Rules.

Each Covered Entity will have the flexibility to perform a risk assessment on which many of the other requirements are based, thereby limiting certain requirements. The Rules will apply irrespective of whether the Covered Entity already adheres to cybersecurity regulations imposed at the federal or state level, but the Rules do contain exemptions from compliance with certain rules therein for “small” Covered Entities and various insurance entities.

The majority of the Rules become effective March 1, 2017, with a 180-day grace period as well as several transition periods for certain requirements. For example, Covered Entities will be required to submit their certifications of compliance as of February 15, 2018, and will have:

  • one year from the effective date to comply with the CISO reporting requirement, penetration testing and vulnerability assessment, risk assessment, multifactor authentication, and cybersecurity awareness training;

  • 18 months to comply with the audit trail, application security, limitations on data retention, monitoring procedures, and encryption of nonpublic information; and

  • two years to comply with the third-party service providers security policy.

Given the short amount of time before the Rules take effect, and the relatively short transition periods, Covered Entities should begin taking the necessary steps to comply with the Rules’ major requirements.

Copyright © 2018 by Morgan, Lewis & Bockius LLP. All Rights Reserved.


About this Author

Martin Hirschprung, Morgan Lewis Law Firm, Investment Attorney

Martin Hirschprung focuses his practice on representing investment companies and their advisers in a wide variety of legal, regulatory, and transactional matters. His experience extends to work in several areas, including fund formation, ongoing compliance, and corporate governance.

Charles M. Horn, Morgan Lewis Law Firm, Securities Attorney

Charles M. Horn is a partner in Morgan Lewis's Investment Management and Securities Industry Practice. Mr. Horn focuses his practice on regulatory and transactional matters, primarily in the areas of banking and financial services. He works on behalf of domestic and global financial institutions of all sizes on regulatory, supervisory, enforcement and compliance matters before all major federal financial institutions regulatory agencies, and leading state financial regulatory agencies.

Mark Krotoski, Litigation Attorney, Morgan Lewis Law Firm

Mark L. Krotoski is a partner in Morgan Lewis’s Litigation, Antitrust, and Privacy and Cybersecurity practices. Mr. Krotoski’s practice focuses on representing and advising clients on antitrust cartel investigations; cybersecurity, data breach, and privacy matters; trade secret, economic espionage, fraud, and foreign corrupt practices cases; and government investigations.

Of counsel

Melissa R. H. Hall is of counsel in Morgan Lewis’s Investment Management and Securities Industry Practice. Ms. Hall represents domestic and non-U.S. banks, financial services companies, and technology companies in regulatory and transactional matters.