New York Cybersecurity Regulation Basics, Final Changes
After some delay, the New York State Department of Financial Services (DFS) released final cybersecurity requirements for financial services companies. This post will describe what has changed between the final version and the previous proposed version, and generally highlight what the regulation will require of New York financial institutions (“companies”).
The Big Changes
DFS proposed two versions of the proposed cybersecurity regulations before coming out with the final version. The final version is substantially the same. The biggest change are the exemptions. They have increased in scope and volume.
Before, a company with 10 employees (including independent contractors) was exempt from complying with most regulations. Now, companies with fewer than 10 employees located in New York, or fewer than 10 employees “responsible for business” of the covered entity, are exempt. The DFS has not explained what “responsible for business” means; however, it’s likely that it includes supervisors and anyone who makes decisions on behalf of the company.
Before, companies that made less than five million in gross annual revenue for the past three years were exempt. Now, that five million must have arisen “from New York business operations,” which limits the regulation, making it more possible that smaller companies will be exempt. Yet, law firm Hogan Lovells explains “certain larger financial institutions with a smaller New York ‘footprint’ may qualify for either (or both) of these new limited exemptions.” Ultimately, even when an exemption applies, these companies must still implement appropriate cybersecurity program and policies.
There are completely new, but narrow exemptions for specific business entities, such as:
- A captive insurance company that does not control or maintain nonpublic information, or
- Certain charitable annuities groups, property/casualty insurers, and accredited reinsurers
While the last group is completely exempt, captive insurance companies are exempt from most requirements. Further, companies need to keep records of audit trails for three years, not five.
Are You Covered?
Anyone authorized to operate under New York banking, insurance, or financial services laws with the DFS must comply with the final cybersecurity regulation. This can include Covered Entities and Affiliates. National banks and federal savings banks do not have to comply with New York’s regulation, but it’s plausible if they are an Affiliate of a New York-based company.
What Must You Do?
The final cybersecurity regulations are expansive and incorporate a legion of cybersecurity requirements. The following are the data security essentials:
The regulation requires you to secure information that is not publicly available. There are three main buckets: (1) business-related information, (2) information that connects a person’s identity (i.e. name) with very sensitive information (i.e. social security number or biometric data), and (3) health care-related information.
Companies must maintain a cybersecurity program that protects nonpublic information, identifies cybersecurity risks, detect breaches, respond to and mitigate breaches, and recover normal operations and service after a breach. Companies familiar with the NIST Framework Core and the Federal Financial Institutions Examination Council (FFIEC) Cybersecurity Assessment Tool should not find these requirements novel or shocking.
Additionally, the final regulations require companies to fulfill “reporting obligations,” like informing the board of directors annually, and to certify compliance with the regulations to DFS.
A company must have four separate, but related, written policies under the final regulations. A company must have a main cybersecurity policy that discusses 14 separate subjects, including “systems and network monitoring” and “vendor and third-party service provider management.” A company must also maintain an Incident Response Plan that sets out how a company will address a breach, an Information Security Policy to govern third party relationships under the final regulations, and a security policy for in-house developed applications.
Additionally, companies must engage in a variety of security processes in various forms and functions:
- Penetration Testing
- Vulnerability Assessments
- Audit Trails
- Access Restrictions
- Risk Assessments
- Application Security
- Multi-Factor Authentication
- Data Disposal
- Adequate Staffing..
Companies are advised to look at each requirement, as some can be technical and may impact operations.
Companies must must provide “regular cybersecurity awareness training” to all personnel and more specialized training to “qualified cybersecurity personnel.” The data security training must be “updated to reflect risks identified” by the risk assessment that companies must perform every year. This allows companies to be responsive and adaptive to vulnerabilities, of which insider negligence appears to be the most widespread.
Not all training is created equal, however. It needs context and development. As we wrote previously in NY Cybersecurity Regulations Change Training Requirements,
financial institutions should understand the importance of developing an effective ethics and compliance program, of which training is a necessary component. Conduct training, at a minimum, needs to reflect case-based learning and inclusive instructional design. If done right, training helps develop a culture of compliance, which regulators like the US Department of Justice, the US Securities and Exchange Commission, and FINRA expect to see in financial institutions across the nation.
When Must You Comply?
The regulations are effective March 1, 2017. Companies have at least 180 days (September 1, 2017) to comply with most provisions, but some provisions give companies extra time. For example, cybersecurity training must be completed within one year (March 1, 2018). 23 NYCRR section 500.22 has a complete list of which sections are due within which timeframes.
Every financial services company should be concerned about data security and privacy. It is squarely the top compliance priority for large companies, protects sensitive firm and customer data, and, when implemented with effective cybersecurity conduct training, can be a virtual firewall against this growing, global risk.
LawRoom (powered by EverFi) delivers online training to help your business meet compliance requirements both dynamically and scalably. In addition to our award-winning online courses, LawRoom delivers a robust, cloud-based learning management system to help you easily deploy and track our growing library of ethics, anti-harassment, data security and employee conduct courses.