The New York State Department of Financial Services has promulgated 17 new cybersecurity regulations which apply to regulated entities doing business in New York. The new DFS rules apply to all entities under its jurisdiction, including insurance companies, insurance agents, banks, charitable foundations, consumer lenders, mortgage brokers, holding companies and premium finance agencies. These regulations require encryption of all non-public information held or transmitted by the covered entity, require each regulated company to promulgate a written cybersecurity program, and appoint a chief information security officer (“CISO”), who must report directly to the board of directors and issue an annual report, setting forth an assessment of the company’s cybersecurity compliance and any identifiable risks for potential breaches. See New York 23 NYCRR §501 et. sec., . http://www.dfs.ny.gov/legal/regulations/adoptions/dfsrf500txt.pdf.
The purpose of the new regulations is to enhance data security, prepare for and prevent cybersecurity attacks against financial institutions which hold confidential customer information. According to its preamble, “this regulation is designed to promote the protection of customer information as well as the information technology systems of regulated entities.” (http://www.dfs.ny.gov/legal/regulations/adoptions/dfsrf500txt.pdf).
With the possible exception of Massachusetts, which implemented a wide-reaching cybersecurity law in 2010, the DFS regulations are the first in the nation to require specific state-wide cybersecurity measures for an entire industry. Given New York’s status as a financial center, the DFS regulations are expected to have wide-ranging effects and influence insurance and financial services practices throughout the country.
The DFS regulations require each covered company to establish a comprehensive written cybersecurity policy addressing specific areas, including information security, data governance and classification, a business continuity and disaster recovery plan, systems operations and availability concerns, network security, customer data privacy, risk assessment, and related topics. The written cybersecurity policy should also contain a proposed plan of response to a potential data breach or other cyber event, which must be reviewed and approved by the board of directors and chief executive on an annual basis.
As a practical matter, compliance with the new regulations imposes some hurdles. In the first instance, determining the compliance dates of the regulations is not a simple matter. The implementation dates of these regulations are staggered; some went into effect in 2017, others became active on March 1, 2018, still others are being implemented on September 1, 2018. The final regulation, which requires registrants to attest to the cybersecurity practices and policies of their third-party vendors, goes into effect on March 1, 2019.
Registrants which have missed the March 2018 deadline for filing a cybersecurity plan with DFS may have received a notice of non-compliance, warning them that they should file their plans, and get to work on preparing for cybersecurity compliance. While at the time of writing, the authors have not seen any major enforcement actions by DFS, this is likely to change in the not-too-distant future.
The 17 regulations, and their compliance dates, can be summarized as follows:
|Regulation No.||Regulation||Effective Date|
|500.2||Cybersecurity Program to be maintained||March 1, 2017|
|500.3||Written Cybersecurity Policy Approved by Senior Officer or board; may be affiliate program||March 1, 2017|
|500.4||Chief Information Security Officer Must Be Appointed; Can be Affiliate or Outside Contractor||March 1, 2018|
|500.5||Penetration testing or Continuous Monitoring||March 1, 2018|
|500.6||Audit Trail: maintain financial and other information for two to five years||September 1, 2018|
|500.7||Limit and Review Access Privileges||March 1, 2017|
|500.8||Application Security: Written Procedures for In-house Applications||September 1, 2018|
|500.9||Periodic Risk Assessments in accordance with written policies||March 1, 2018|
|500.10||Use, Hiring and training of Qualified Cyber Security Personnel||March 1, 2017|
|500.11||Third Party Providers: Written Policy and Procedure||March 1, 2019|
|500.12||Multifactor Authentication for accessing data from an external network||March 1, 2018|
|500.13||Limitations on Data Retention: can’t maintain unnecessary data||September 1, 2018|
|500.14||Training and Monitoring authorized users||9/1/18 (section a)
3/1/18 (section b)
|500.15||Encryption of Non-Public Information||September 1, 2018|
|500.16||Written Incident Response Plan||March 1, 2017|
|500.17||Notice to Superintendent of Cybersecurity Events||March 1, 2017|
|500.18||Maintain Confidentiality of Non-Public Information||March 1, 2017|
Limited partial exemptions are available for a number of regulated entities. For example, a smaller registrant with fewer than ten employees, less than $5 million in gross revenue (including affiliates) from business in New York, or less than $10 million in total assets (including affiliates) is exempt from nine of the seventeen regulatory requirements, including the need to appoint a chief information security officer, maintain an audit trail, use and hire qualified cybersecurity staff, implement multifactor authentication, encryption or a written incident response plan. A partially exempt registrant must still file a notice of exemption and comply with the remaining regulations.
A different limited exemption is available for a risk retention group which is licensed under New York Insurance Law § 5904, as well as a charitable annuity or a reinsurer. There is also an exemption for registrants which do not use or access non-public information.
While employees of covered entities are themselves considered covered entities under the rules, these individuals are exempt from compliance and need not develop their own cybersecurity programs to the extent they are covered by the cybersecurity programs of their employer.
In addition, covered entities which do not operate, maintain or control information systems and do not receive non-public information are exempt from 12 of the 17 specified requirements of the regulations. Non-public information is defined as business information of the covered entity, including, presumably trade secrets; personal identifying information about an individual, and any information or data regarding medical or health care treatment of an individual.
A registrant’s cybersecurity program should comply with the seventeen requirements of the DFS regulations. These are summarized as followed, bearing in mind that the actual text of the regulations contains additional details. The registrant should:
- Maintain a cybersecurity Program; This may be adopted from an affiliate, and should detect and prevent cybersecurity risks, and use defensive infrastructure.
- Prepare a written cybersecurity policy approved by a senior officer or the board; This policy should meet 14 factors outlined in the regulations, including information security, data governance and classification, asset inventory and device management, access controls, business continuity and disaster recovery planning; systems operations; systems and network security; systems and network monitoring; systems and application development and quality assurance; physical security and environmental controls; customer data privacy; vendor and third party service provider management, risk assessment and incident response.
- Designate a Chief Information Security Officer, who should maintain cybersecurity policies and procedures and issue an annual written report to the board of directors about the firm’s cybersecurity program and any lapses. The CISO may be an independent contractor or work for an affiliate.
- Engage in penetration testing by continuous monitoring or by annual testing, plus biannual vulnerability assessments.
- Maintain an audit trail designed to reconstruct material financial transactions and designed to detect and respond to cybersecurity events.
- Limit and periodically review access privileges.
- Engage in periodic risk assessments designed to anticipate potential cybersecurity threats.
- Use and train qualified cybersecurity personnel.
- Institute written guidelines for maintaining the security of internal and external applications used by the company.
- Prepare a written policy and procedure for third-party providers’ data security, including: risk assessment, minimum cybersecurity practices, periodic assessment of cyber-risk provided by third party providers, guidelines for due diligence, third parties’ use of encryption and related issues.
- Prepare written limitations on data retention.
- Multi-factor authentication for any person accessing the company’s internal networks from an external network.
- Encryption of nonpublic information, to the extent feasible.
- Training and monitoring of company personnel regarding cybersecurity.
- Preparation of a written incident response plan, including internal roles, goals, remediation, etc.
- A registrant should include notice to the Superintendent in the event of a data breach;
- Maintain the confidentiality of non-public information.
As mentioned, the DFS regulations require registrants to certify, by March 1, 2019, that third party vendors with whom they do business have adequate cybersecurity programs in effect. Of particular interest to law firms who represent financial institutions is §500.11 of the new DFS regulations, which requires each covered entity to “implement written policies and procedures designed to ensure the security of information systems and non-public information that are accessible to, or held by third-parties doing business with the covered entity.” Thus, covered entities, including insurance companies, which provide access to personal identifying information to third-party vendors must certify not only that their own information systems are adequate, but that the information security systems of vendors with whom they do business are also secure and protected. In other words, vendors who do business with regulated financial service companies will eventually be expected to comply with the cybersecurity standards of their represented clients.
The New York DFS cybersecurity regulations are being implemented on a staggered schedule, with additional compliance dates scheduled for September 2018 and March 1, 2019. The requirements of the DFS regulations should be noted not only by registrants, but also by vendors who do business with them.
Registrants should act diligently to ensure their compliance with DFS cybersecurity requirements. Cybertechnology experts are expecting enforcement action from the DFS, and no company wants to be the first case.