October 20, 2021

Volume XI, Number 293


October 19, 2021

Subscribe to Latest Legal News and Analysis

October 18, 2021

Subscribe to Latest Legal News and Analysis

NY Financial Services Companies’ 2017 Resolution: Cybersecurity

The New York State Department of Financial Services (DFS) made headlines back in late September with a “first-in-the-nation” piece of legislation aimed at mandating specific cybersecurity protocols for banks, insurance companies, and other financial services institutions (Regulations). As the 45-day notice and public comment period recently closed, the Regulations, if adopted, will take effect January 1, 2017, and “covered entities” will have 180 days to comply. Even those companies with cybersecurity programs in place will still need plans for compliance under the new Regulations. Additionally, while New York may be the first state to issue a set of regulations of this kind, it is unlikely to be the last.

Entities Impacted by the Regulations

Next Steps:

  • Start now to take an in-depth look at your cybersecurity policies and governance procedures

  • Determine whether they comply with new requirements, such as program certification, reporting to the board, and other critical policy areas

  • Perform an internal and external risk assessment

  • Perform a risk assessment and diligence of all third parties, including their cybersecurity programs at least once a year

  • Implement and maintain a written cybersecurity plan that includes a minimum set of required cybersecurity practices for third parties

  • Appoint a CISO who will report to the board at least bi-annually and maintain sufficient resources to manage risks and perform tasks

  • Make cybersecurity diligence a New Year’s resolution you keep — let Foley help assess and implement your cybersecurity policies, programs, and training

The proposed Regulations apply to entities meeting the definition of a “covered entity,” which includes: “any [p]erson operating under or required to operate under a license, registration, charter certificate, permit, accreditation or similar authorization under the [New York] banking law, the insurance law or the financial services law.” This definition broadly encompasses not just those entities traditionally thought of — such as banks, credit unions, insurance companies, and mortgage lenders or brokers — but also third-party service providers to these regulated entities, as third parties are indirectly obligated to have similar cybersecurity policies and procedures. There are some exceptions to the definition of covered entity based upon an organization’s number of customers and gross annual revenue.

Key Implementation Requirements

The Regulations mandate a number of specific obligations that, for many companies, will require a shift in focus from ad hoc cybersecurity compliance to a methodical and well-documented program. From a 360-degree view, companies must have:

  1. A cybersecurity program in place that includes functions such as data mapping

  2. A written cybersecurity policy addressing a minimum of 14 different areas

  3. An information security policy for third parties who process information on the organization’s behalf

  4. An incident response plan

The Regulations also impose other specific procedures, such as:

  • Board Involvement: Unlike any other state regulatory scheme, the Regulations mandate board-level engagement in an organization’s cybersecurity preparedness. Such engagement requires annual board review of the company’s cybersecurity policies and an annual certification approved by a “senior officer” confirming compliance. These expectations on upper-level management’s involvement align with the U.S. Department of Justice’s focus on holding individuals accountable.

  • Cybersecurity Personnel: Good news if you are an experienced cybersecurity professional — the Regulations require each covered entity to designate a chief information security officer (CISO) and ensure that a “sufficient” number of cybersecurity personnel are employed to manage the risks and core functions of the program. The CISO must prepare and deliver a report to the board or its equivalent at least twice a year.

  • Direct Protections on Data: At a minimum, the Regulations expect companies to: (1) maintain an audit trail, (2) limit access privileges, (3) destroy non-public information in a timely manner, (4) require multi-factor authentication for certain types of access to non-public information, and (5) encrypt all non-public information held or in transit (to the extent encryption is currently infeasible, there is a one-year grace period for encryption of data in transit and a five-year grace period to implement encryption of data at rest).

  • Risk Analysis and Security Testing: The Regulations also require an annual risk analysis, annual penetration testing, and quarterly vulnerability assessments. By imposing mandatory security assessments, companies can no longer claim ignorance to risks and vulnerabilities that may affect non-public customer data maintained by third parties.

  • Notification: A covered entity must notify the superintendent promptly, but no later than 72 hours, after becoming aware of a cybersecurity event that has a reasonable likelihood of materially affecting normal operation of the information system or that affects any non-public information. The organization must also notify the superintendent within 72 hours of any material risk of imminent harm related to its cybersecurity program.

© 2021 Foley & Lardner LLPNational Law Review, Volume VI, Number 337

About this Author

Stephen A. Aschettino, Foley Lardner Law Firm, Litigation Attorney

Stephen A. Aschettino is a partner and litigation attorney with Foley & Lardner LLP. He is an accomplished trial attorney and former general counsel with more than 20 years of experience. Mr. Aschettino's practice encompasses a wide variety of complex business law and high-stakes litigation matters. He is the chairman of the Payments Technology Team and has served as lead trial and appellate counsel in commercial, insurance, bankruptcy and products liability cases. Mr. Aschettino serves on Foley’s Diversity Action & Inclusion Council and lends his diverse...

Julia Kadish, Foley Lardner Law Firm, Technology Drafting Attorney

Julia (Julie) Kadish is an associate with Foley & Lardner LLP where her practice focuses on drafting and reviewing technology agreements across a variety of industries, and counseling clients on privacy and data security matters, including data breach response and preparedness. She also has experience implementing corporate compliance programs from an initial risk assessment to implementation, training, and annual audits. Ms. Kadish is a Certified Information Privacy Professional (CIPP/US).

Steven Millendorf, Technology Attorney, Foley and Lardner Law Firm

Steven Millendorf is an associate and intellectual property lawyer with Foley & Lardner LLP. He has experience drafting, reviewing and revising technology agreements, including protections for privacy and data security. Mr. Millendorf regularly tracks changes to state breach notification laws and revises Foley’s nationally published state data breach notification database. He also has experience in defending electronics and telecommunications clients in IP litigation matters. Mr. Millendorf is a member of the firm’s Technology Transactions & Outsourcing,...

Aaron K. Tantleff, Foley Lardner, E-Commerce lawyer, IP Attorney, Patents

Aaron K. Tantleff is a partner and intellectual property lawyer with Foley & Lardner LLP. His practice focuses upon providing legal and strategic guidance regarding information technology, outsourcing, licensing, consulting, professional services, e-commerce, manufacturing, supply, and distribution agreements, as well as product acquisitions, strategic alliances, mergers and acquisitions, and private equity investments where technology and intellectual property are of significant importance and value. Mr. Tantleff is a member of the firm’s Technology...