NYDFS: The Shifting Regulatory Landscape of Cybersecurity
On December 28, 2016, the New York Department of Financial Services (the “NYDFS”) substantially reproposed its much–anticipated cybersecurity regulation (the “Revised Proposal”). If adopted, the Revised Proposal will implement a framework of various risk-based requirements for financial services companies’ cybersecurity programs that are separate and distinct from the federal regulatory approach to cybersecurity.
On September 13, 2016, the NYDFS proposed a “first-of-its-kind” cybersecurity regulation. During the proposal’s 45-day comment period, which ended on November 14, 2016, the NYDFS received a substantial number of comments from industry participants.
On December 28, 2016, the NYDFS restated its belief that the Revised Proposal was in the best interest of the consumer and reissued the Revised Proposal with many substantial changes. While maintaining the structure and subject matter of the original draft proposal, the Revised Proposal attempts to provide more flexibility and company customization. The reissued Revised Proposal will be subject to an additional final 30-day comment period to consider any new comments that were not previously raised in the original comment process.
Who is covered under the Proposed Rule?
Generally, only Covered Entities must comply with the Revised Proposal. A “Covered Entity” is defined as any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under (a) the banking law, (b) the insurance law or (c) the financial services law in New York.
To clarify, the Revised Proposal would not impose any new requirements on federally-chartered institutions; however, it would affect state-chartered banks operating branches inside New York (e.g., a New Jersey state-chartered bank operating a branch in New York).
The Revised Proposal exempts Covered Entities with: (a) fewer than 10 employees, including any independent contractors; or (b) less than $5 million in gross annual revenue in each of the last three fiscal years; or (c) less than $10 million in year-end total consolidated assets.
What does the Revised Proposal require?
The Revised Proposal requires Covered Entities to:
1. Establish a Cybersecurity Program. Each financial institution must establish a cybersecurity program designed to ensure the confidentiality, integrity and availability of information systems. The Revised Proposal clarifies that the cybersecurity program shall be based on the Covered Entity’s periodic Risk Assessment.
2. Adopt a Cybersecurity Policy. Adopt a written cybersecurity policy, setting forth policies and procedures addressing the following:
(a) information security;
(b) data governance and classification;
(c) access controls and identity management;
(d) business continuity and disaster recovery planning and resources;
(e) systems operations and availability concerns;
(f) systems and network security;
(g) systems and network monitoring;
(h) systems and application development and quality assurance;
(i) physical security and environmental controls;
(j) customer data privacy;
(k) vendor and third-party service provider management;
(l) risk assessment; and
(m) incident response.
3. Designate a Chief Information Security Officer. The Revised Proposal clarifies that so long as a covered entity has designated a qualified individual to perform the functions of a Chief Information Security Officer (“CISO”), no individual is required to have this specific title or be dedicated exclusively to CISO activities. Additionally, the designated individual now must provide a written, more narrowly focused, annual (not biannual) cybersecurity report to the board of directors or governing body.
A third party service provider may fulfill this role, but the institution will (a) remain responsible for compliance of its cybersecurity program and (b) be required to designate a senior member of the institution’s personnel to oversee the service provider.
4. Oversee Third Party Service Providers. The Revised Proposal defines “Third Party Service Provider” as an entity that (1) is not an Affiliate of the Covered Entity, (2) provides services to the Covered Entity and (3) has access to Nonpublic Information through its provision of services to the Covered Entity.
A regulated financial institution must have policies and procedures designed to ensure the security of information systems and nonpublic information accessible to, or held by, third parties. These policies and procedures must include the following:
(a) identification and risk assessment of third party service providers;
(b) minimum cybersecurity practices required to be met by such third parties;
(c) due diligence processes used to evaluate the adequacy of cybersecurity practices of third parties; and
(d) periodic assessment of third parties, based upon the risk they present and for the purpose of assuring the continued adequacy of their cybersecurity practices.
Importantly, the Revised Proposal makes the requirement to conduct a periodic assessment of Third Party Service Providers based on the risk they present. The original version required Covered Entities to establish preferred provisions to be included in contracts with such service providers. However, the Revised Proposal requires Covered Entities to establish “relevant guidelines for due diligence and/or contractual protections.”
The Revised Proposal permits for broader representations and warranties in contracts between Covered Entities and Third Party Service Providers (i.e., those “addressing the Third Party Service Provider’s cybersecurity policies and procedures”), rather than the original version’s language specifying representations and warranties from service providers that the service is free of viruses, trap doors and other mechanisms that would impair security. The Revised Proposal also eliminates the requirement to establish preferred contract provisions regarding the Covered Entity’s right to perform cybersecurity audits of service providers.
5. Implement Incident Response Plans / 72-Hour Notice Requirement. Each financial institution will be required to establish a written incident response plan, which must address, at a minimum, the following:
(a) the internal processes for responding to a cyber event;
(b) the goals of the incident response plan;
(c) the definition of clear roles, responsibilities and levels of decision-making authority;
(d) external and internal communications and information sharing;
(e) remediation of any identified weaknesses in the institution’s systems and controls;
(f) documentation and reporting of a cyber event; and
(g) the evaluation and revision of the incident response plan following a cyber event.
The written incident response plan requirement now includes a materiality standard, ostensibly narrowing the range of incidents that may trigger a full response. Further, although the Revised Proposal retains the obligation to notify the NYDFS superintendent within 72 hours, it has been modified to specify that the clock starts ticking at the point when the Covered Entity has made “a determination” that a specific type of Cybersecurity Event has occurred. (The previous standard required notification within 72 hours of “becoming aware” of a Cybersecurity Event.)
Additionally, the original version of the regulations required the Covered Entity to notify the NYDFS of any Cybersecurity Event that (a) has a reasonable likelihood of materially affecting the Covered Entity’s normal operations or (b) affects Nonpublic Information within 72 hours. Under the new version of the regulations, notification to the NYDFS is limited to Cybersecurity Events (a) of which notice is required to be provided to any supervisory body or (b) that have a reasonable likelihood of materially harming any material part of the Covered Entity’s normal operations.
The Third Party Service Providers’ requirement to notify Covered Entities of Cybersecurity Events is narrowed to those Cybersecurity Events that directly impact the Covered Entity’s Information Systems of Non-Public Information held by the Third Party Service Provider.
6. Penetration Testing and Vulnerability Assessments. The original version of the regulations required Covered Entities to conduct penetration testing annually and vulnerability assessments quarterly. The Revised Proposal requires the cybersecurity program to incorporate “monitoring and testing, developed in accordance with risk assessments” including continuous monitoring or periodic penetration testing and vulnerability assessments. Under the Revised Proposal, if there are not effective continuous monitoring or other systems to detect changes that may indicate vulnerabilities, then the Covered Entity is required to conduct penetration testing annually and vulnerability assessments quarterly.
7. Audit Trail. The original version of the regulations required Covered Entities to implement audit trail systems for nearly every financial transaction and retain such data for six years. The Revised Proposal requires Covered Entities to (1) maintain systems that, to the extent applicable and based on the Covered Entity’s risk assessment, include audit trails designed to detect and respond to Cybersecurity Events that “have a reasonable likelihood of materially harming any material part” of the Covered Entity’s normal operations and (2) retain such records for five years.
8. Access Privileges. The Revised Proposal requires Covered Entities to limit user access privileges to Information Systems that provided access to Nonpublic Information based on the Cover Entity’s Risk Assessment and requires Covered Entities to “periodically” review such access privileges.
9. Bolster Cybersecurity Protections. In addition, to periodic internal and external cyber risk assessments and audits, Covered Entities will also be required to adopt the following:
(a) Multi-factor Authentication. The original requirements to use multi-factor authentication under specific enumerated circumstances have been replaced with a general mandate that Covered Entities use “effective controls” (including multi-factor authentication or risk-based authentication) to protect Nonpublic Information and Information Systems. Note, however, that unless the CISO has provided written approval otherwise, multi-factor authentication is required for remote access to internal networks.
(b) Encryption. The original version of the regulations required Covered Entities to meet the requirement to encrypt all Nonpublic Information held or transmitted by the Covered Entity within five years. Under the Revised Proposal, to the extent a Covered Entity determines that encryption of Nonpublic Information in transit over external networks or at rest is not feasible, the Covered Entity may use “effective alternative compensating controls” that are approved by the CISO and reviewed by the CISO annually.
Importantly, while the Revised Proposal may require financial institutions to use both encryption and multi-factor authentication in certain circumstances, a financial institution cannot rely on its compliance with these NYDFS-imposed features. Financial institutions will still be required by the federal regulators to assess and adopt proper cybersecurity programs commensurate with its size, complexity and identified risks. Consequently, this inconsistency will require each financial institution to assess and audit its compliance under both the NYDFS and federal regulatory approach.
10. Additional Requirements. In addition to the foregoing, a financial institution’s cybersecurity program will be required to include the following:
(a) periodic cybersecurity training of all personnel that is specific to the risks of the institution;
(b) annual reviews and updates (as necessary) to written application security procedures, guidelines and standards;
(c) periodic risk assessment of the confidentiality, integrity and availability of information systems; adequacy of controls; and mitigation or acceptance of identified risks;
(d) employment and training of cybersecurity personnel to stay abreast of changing threats and countermeasures; and
(e) timely destruction of nonpublic information that is no longer necessary except where required to be retained by law or regulation.
Importantly, the original version of the regulations required Covered Entities to implement audit trail systems for nearly every financial transaction and retain such data for six years. The Revised Proposal requires Covered Entities to (1) maintain systems that, to the extent applicable and based on the Covered Entity’s risk assessment, include audit trails designed to detect and respond to Cybersecurity Events that “have a reasonable likelihood of materially harming any material part” of the Covered Entity’s normal operations and (2) retain such records for five years.
How will the Revised Proposal impact financial institutions?
The Revised Proposal represents the most comprehensive cybersecurity regulation to date in the United States. The high-level significance of the Revised Proposal is four-fold.
1. Regulatory Shift. The Revised Proposal represents a shift from the current state and federal regulatory approach to cybersecurity, which generally is aspirational—not mandatory. While the Revised Proposal provides for greater flexibility in developing and maintaining a cybersecurity program than the regulation originally proposed, the NYDFS approach still emphasizes certain minimum requirements that are separate and apart from federal regulation, which has emphasized a “risk-based” approach in that each financial institution should adopt a cybersecurity system commensurate with the size, complexity and individual risk profile of the financial institution.
2. Increased Costs. In mandating additional comprehensive cybersecurity protections, the NYDFS approach will likely place a substantial cost burden on all financial institutions. As smaller financial institutions are less likely to have in place systems that would be compliant with the Revised Proposal, there is a strong likelihood of cybersecurity becoming one of the larger operational expenses.
3. Dual Regulation. The Revised Proposal does not affect any prior issued guidance from the federal banking regulators concerning: (a) third party service provider risk management; (b) best practice and cybersecurity recommendations; or (c) incident response programs. Thus, while certain elements of the Revised Proposal differ from federal regulations, a financial institution that is ultimately subject to the Revised Proposal will be required to treat any discrepancy as an additional layer of compliance.
4. The Snowball Effect. As one of the preeminent financial services regulators in the country, the NYDFS’s actions may serve as a catalyst, causing other state regulators to impose similar requirements in their states.
When will the Revised Proposal become effective?
The Revised Proposal’s effective date was delayed from January 1, 2017 to March 1, 2017. However, financial institutions covered by the Revised Proposal will have 180 days, or until September 1, 2017, to comply with the new requirements. Further, the NYDFS did not change the date of when Covered Entities would have to submit a certificate of compliance to the NYDFS, indicating that it was complying with terms of the cybersecurity protections, of February 15, 2018.
However, the Revised Proposal now provides entities with an 18-month transitional period to create written procedures to ensure the security of their applications, establish policies for the secure disposal of nonpublic data, and develop an audit trail system, and a two-year transitional period to develop and implement written policies and procedures for their third party vendors.
In sum, the Revised Proposal’s consequences are likely to be far-reaching. Financial institutions would be wise to review all regulatory developments in cybersecurity and continually reassess their cybersecurity programs for regulatory compliance.
John C. Cleary, Bruce A. Radke, Michael J. Waters, Charles J. Nerko and Mark C. Svalina also contributed to this article.