23 NYCRR Part 500 (the “Regulation”) is a much anticipated regulation of the New York Department of Financial Services (“DFS”), which took effect March 1, 2017. The DFS had promised a Regulation in 2016 and then issued two comment drafts in the second half of 2016. This regulation requires each company to assess its specific risk-based profile and to tailor a program that addresses the risks identified by self-assessment.[1]
The Regulation is the first in the nation to mandate protection by banks, insurers and other financial institutions within DFS’ regulatory jurisdiction of their customer information from cyber-attacks directed at them (sometimes referred to as “Covered Entities”). By also requiring Covered Entities to protect their information technology systems, New York’s new cybersecurity regulation automatically assumes the aura of a “gold standard” for the nation’s financial services industry.
The requirements under the Regulation will, however, be rolled out in stages, from March 1, 2017 (“Implementation”), with the first yearly compliance certifications by Covered Entities to DFS due February 15, 2018. Those requirements of the Regulation twith longer transitional periods are designed to provide outside deadlines for compliance and are consistent with DFS’ goals of setting minimum standards[2]. They also recognize the cost and operational complexities of achieving full compliance with the new Regulation. Covered Entities are urged to comply as soon as possible to protect customer information. Each yearly report must certify that the Covered Entity is in compliance with the requirements set forth in the regulation.[3]
Due Within 180 Days From Implementation
A. Maintain a cybersecurity policy
Each Covered Entity is required to establish and maintain a cybersecurity policy designed to protect the confidentiality, integrity and availability of the Covered Entity’s Information Systems.
The cybersecurity policy must be based on the Covered Entity’s Risk Assessment and designed to perform fourteen core cybersecurity functions:[4]
(1) information security;
(2) data governance and classification;
(3) asset inventory and device management;
(4) access controls and identity management;
(5) business continuity and disaster recovery planning and resources;
(6) systems operations and availability concerns;
(7) systems and network security;
(8) systems and network monitoring;
(9) systems and application development and quality assurance;
(10) physical security and environmental controls;
(11) customer data privacy;
(12) vendor and third party service provider management;
(13) risk assessment; and
(14) incident response.
B. Retain a Chief Information Security Officer (“CISO”) and Other Qualified Personnel
Each Covered Entity, or its affiliated entity or a Third Party Service Provider, is required to designate a qualified individual (CISO) having primary responsibility to oversee and implement the Covered Entity’s cybersecurity policy and enforce its cybersecurity program, in particular the core functions specified in 23 NYCRR §500.02(b) (1)-(6)[5] and to provide additional cybersecurity personnel with updates and training sufficient to address changing risks and verify that key personnel maintain current knowledge of changing threats and countermeasures.[6]
C. Restrict Access Privileges
Based on each Covered Entity’s Risk Assessment, each Covered Entity is required to limit user access to information systems that potentially disclose Nonpublic Information and periodically review such access privileges.[7]
D. Establish a Written Incident Response Plan
The plan must be designed to promptly respond to, and recover from, any Cybersecurity Event[8] materially affecting the confidentiality, integrity or availability of the Covered Entity’s information systems or the continuing functionality of any aspect of the Covered Entity’s business or operations.[9] It must address, among others: (1) the internal processes for responding to a Cybersecurity Event; (2)the goals of the incident response plan; (3) the definition of clear roles, responsibilities and levels of decision-making authority; (4) external and internal communications and information sharing; (5) identification of requirements for remediating any identified weaknesses in information systems and associated controls; (6)documentation and reporting regarding Cybersecurity Events and specific related incident response activities; and (7) revision as necessary of the plan following a Cybersecurity Event, upon evaluation.
E. Notice to Superintendent of a Cybersecurity Event
Within 72 hours of a Cybersecurity Event, notice must be given to the Superintendent of any Cybersecurity Event of which notice to a governmental entity is required and with respect to which there is a reasonable likelihood of material harm to any material part of the normal operations of the Covered Entity.[10]
Due Within One Year from Implementation
A. The CISO must prepare an annual report to the Board of Directors on the Covered Entity’s Cybersecurity Program[11] including separate sections covering:
- The integrity and security of its information systems
- Its cybersecurity policies and procedures;
- Any material cyber risks to the Covered Entity;
- The overall effectiveness of its cybersecurity program; and
- Any material Cybersecurity Event involving the Covered Entity during the time period addressed by the report.
B. Each Covered Entity must design and implement a Cybersecurity Program to Include Penetration Testing and Vulnerability Assessments[12]
- Developed in accordance with the Covered Entity’s Risk Assessment, designed to assess the effectiveness of the Covered Entity’s cybersecurity program;
- Include periodic monitoring and testing (annual); and
- Vulnerability assessments (biannual)
C. Multi-Factor Authentication[13]
- A control to protect against unauthorized access to Nonpublic Information or systems; and
- Must be used for any individual accessing internal networks from an external network
D. Implementation of regular updated cyber awareness training for all personnel must reflect risks identified by the Covered Entity[14]
Due Within 18 Months from Implementation
A. Audit Trail[15]
- Systems must be designed to reconstruct material financial transactions sufficient to support normal operations and obligations of the Covered Entity
- Those systems must include audit trails to detect and respond to material Cybersecurity Events
- Records must be kept for 5 years
B. Application Security[16]
- Written procedures, guidelines and standards must be implemented ensuring use of secure practices for in-house developed applications and testing externally developed applications used by Covered Entity
- These must be periodically reviewed, assessed and updated by the CISO (or qualified designee)
C. Adopt Limitations on Data Retention[17]
- These must include policies and procedures for disposal of nonpublic personal information[18]
D. Each Covered Entity must implement risk-based policies, procedures and controls to monitor activity of Authorized Users and detect unauthorized access, use of, or tampering with, nonpublic personal information by Authorized Users[19]
E. With certain exceptions, each Covered Entity must implement controls that include encryption of nonpublic business-related and nonpublic personal information[20]
Due Within Two Years from Implementation[21]
As part of the Covered Entity’s Third Party Service Provider Security Policy, each company is required to implement written security policies to ensure the security of information systems and Nonpublic Information accessible to all Third Party Service Providers, including:[22]
- Defining minimum cybersecurity practices required to be met by Third Party Service Providers in order for them to do business with the Covered Entity;
- Adopting a due diligence program to evaluate the adequacy of their cybersecurity practices;
- Identification and periodic assessments of Third Party Service Providers based on the risk and adequacy of their cybersecurity practices; and
- Establishing written guidelines addressing contractual protections addressing multi-factor authentication and policies and procedures for use of encryption, unless it is determined that encryption is not feasible and the CISO approves other compensating controls. Any alternatives to encryption must be reviewed by the CISO annually.
Limited or Automatic Exemptions from Application of the New Regulation
A limited exemption to the Regulation applies to certain Covered Entities, in particular: 1) a Covered Entity having fewer than 10 employees, including their independent contractors or affiliates located in the State of New York orresponsible for the business of the Covered Entity; 2) a Covered Entity which, together with its affiliates, has realized less than $5 million in gross annual revenue in each of the last three fiscal years from New York business; 3) a Covered Entity which, together with its affiliates, have fewer than $10 million in year-end total assets; and 4) in the case of a licensed captive insurer, the Covered Entity does not, or is not required to, directly or indirectly, control, own, access, generate, receive or possess Nonpublic Information other than information related to its corporate parent or affiliates.
An automatic exemption applies to: 1) charitable annuity societies; 2) foreign risk retention groups operating in New York; and 3) certified or accredited reinsurers. [23].
Summary and Conclusion
In April 2015, the NAIC adopted the Principles for Effective Cybersecurity: Insurance Regulatory Guidance which, in turn, was derived from the Securities Industry and Financial Markets Association’s Principles for Effective Cybersecurity Regulation Guidance. “The twelve principles adopted direct insurers, producers, and other regulated entities to join forces in identifying risks and adopting practical solutions to protect information entrusted to them. The guiding principles are intended to establish insurance regulatory guidance that promotes coordination and protects insurance consumers.”[24]
On September 13, 2016, New York State Governor Andrew M. Cuomo announced in a Press Release that a new first-in-the-nation regulation has been proposed to protect New York State from the ever-growing threat of cyber-attacks. “The regulation requires banks, insurance companies, and other financial services institutions regulated by the State Department of Financial Services to establish and maintain a cybersecurity program designed to protect consumers and ensure the safety and soundness of New York State’s financial services industry.”[25] The final risk-based regulation includes certain regulatory minimum standards while encouraging financial services firms to keep pace with technological advances.
As New York’s Governor Andrew M. Cuomo stated in a further Press Release dated February 16, 2017, "These strong, first-in-the-nation protections will help ensure [the companies at the heart of the financial services industry have] the necessary safeguards in place in order to protect themselves and the New Yorkers they serve from the serious economic harm caused by these devastating cyber-crimes."[26] Other jurisdictions and the NAIC have promised to issue their own cybersecurity regulations, which likely will incorporate much of what the DFS has promulgated.