On March 1, 2017, the New York financial services industry will awaken to a new regulatory regime designed to set minimum standards for the development and functionality of cybersecurity programs. The New York State Department of Financial Services’ (“DFS”) proposed cybersecurity regulation (the “DFS Rule”) will cover any institution doing business in New York pursuant to a license, registration, charter, or similar authority under New York’s Banking, Insurance, or Financial Services Laws. Companies outside the financial services sector should also take heed, as regulators overseeing other industries may use the DFS regulations as a benchmark for what a “reasonable” cybersecurity program looks like.
The DFS Rule is motivated by the clear and present danger posed by cybercriminals who seek to access sensitive personal data and potentially cause significant economic harm. Of course, privacy and consumer protection cannot be achieved without an investment of time and resources by the financial services industry, and companies need to start preparing for the new normal in the digital age.
At its broadest level, the DFS Rule requires companies to maintain a risk-based cybersecurity program that is designed to protect the confidentiality, integrity, and availability of the company’s information systems. Under the rule, every company must implement and maintain a cybersecurity policy that is approved by a senior corporate officer or the board of directors.[1] Every company must also designate a qualified employee to act as a Chief Information Security Officer (“CISO”),[2] as well as the capability to run penetration assessments of their systems,[3] create audit trails,[4] and ensure effective training and monitoring.[5] Companies must ensure and periodically review risk-based access privileges designed to limit internal access to nonpublic information.[6] The list goes on.
The DFS Rule is in some ways more robust than the hodge-podge of cybersecurity regulations and best practices that have been promulgated over many years at the federal level. But following the comment period in the fall of 2016, the latest iteration of the DFS rule offers companies a degree of flexibility not seen in the earlier version of the proposed regulation.
The DFS Rule permits financial services companies to outsource many of the requirements, subject to certain standards and without permitting the companies to abrogate their responsibility for effective cybersecurity. For instance, Section 500.04 of the rule allows companies to designate an affiliate or third-party provider to serve as the institution’s CISO who need only report to the board of directors on an annual basis. Under the revised rule companies may also outsource their cybersecurity personnel, and now the required cybersecurity policy need only address areas relevant areas of the institution’s operations based on the mandatory risk assessment.
Even some of the encryption and authentication provisions do not read as check-the-box, hyper-technical requirements. For instance, Section 500.12 (“Multi-Factor Authentication” or “MFA”) states that companies “shall use effective controls, which may include Multi-Factor Authentication or Risk-Based Authentication, to protect against unauthorized access to Nonpublic Information or Information Systems.” While MFA is required for those accessing a company’s internal network from an external one, the company’s CISO may approve in writing a “reasonably equivalent” alternative. The DFS Rule appears to give companies some degree of flexibility in achieving the underlying policy goals.
If senior management is asking whether their institution is too small to fall within the DFS Rule’s ambit, think again. Companies qualify for limited exemptions under the rule if they have (a) fewer than 10 employees, including independent contractors, (b) less than $5 million in gross annual revenue in each of the last three fiscal years, or (c) less than $10 million in year-end total assets, including assets of all affiliates.[7] There aren’t many financial services companies in New York that would qualify. What’s more, even if a company operates only a small portion of its business in New York, it cannot comply with the DFS Rule by changing its practices only within New York. Cyber and network security necessarily crosses jurisdictional boundaries and banks cannot require MFA or application security in a New York branch without upgrading in New Jersey as well.
Banks, insurance companies, and other financial services firms need to start assessing their existing cybersecurity program and determine what steps they must take to achieve compliance under the new law. Companies will have 180 days from March 1, 2017 to comply with the DFS Rule, subject to a few exceptions. For instance, companies will be given one year to comply with penetration testing and vulnerability assessments as well as the MFA requirements,[8] and eighteen months to comply with the audit trail and application security requirements.[9] Finally, in addition to regularly certifying to the regulator that your company is in compliance, the DFS Rule mandates an incident response plan[10] that includes internal processes for responding to a cybersecurity event, such as a network penetration, and a 72-hour period in which the company must notify the DFS Superintendent of such an event.[11]
DFS has the authority to assess both civil and criminal penalties, so while the costs of compliance with the DFS Rule may be significant, the costs of non-compliance could be catastrophic.
Please contact us with any questions or for guidance on how to bring your company into compliance with the DFS Rule in a timely manner.
Footnotes:
[1] 23 NYCRR § 500.03.
[2] 23 NYCRR § 500.04.
[3] 23 NYCRR § 500.05.
[4] 23 NYCRR § 500.06.
[5] 23 NYCRR § 500.14.
[6] 23 NYCRR § 500.07.
[7] 23 NYCRR § 500.19.
[8] 23 NYCRR § 500.22(b)(1).
[9] 23 NYCRR § 500.22(b)(2).
[10] 23 NYCRR § 500.16.
[11] 23 NYCRR § 500.17.