In late 2016, in response to the “ever-growing threat” posed to information and financial systems, the New York State Department of Financial Services (DFS) proposed cybersecurity regulations to “promote the protection of customer information and information technology systems of regulated entities.”
The DFS defined “covered entities” as any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law, or the Financial Services Law of New York. Banks, insurance companies, and other financial services institutions and licensees regulated by the DFS are just some examples of entities now under the gun with respect to implementation and enforcement of the new law.
Revised regulations — N.Y.C.R.R. 500 — went into effect March 1, 2017, after companies and individuals from the affected industries used the notice and comment period to voice concerns over anticipated hardships. The final version provides greater flexibility and discretion for businesses regulated by DFS, allowing for “covered entities” to tailor a cybersecurity program that fits their business needs; it also includes transition periods (180 days for most provisions, longer for others).
Now, attorneys expect that the first wave of compliance certifications due last week and looming deadlines to implement more technically complex aspects of the regulation will trigger an enforcement blitz. The inaugural round required businesses to adhere only to certain portions of the regulation, including the mandates to put a cybersecurity program in place, appoint a chief information security, officer and report breaches within 72 hours.
Significant Provisions of N.Y.C.R.R. 500
Significant provisions of the final New York Regulations highlight corporate responsibility, including board involvement, for developing and maintaining a cybersecurity program, and the reporting requirements associated with such a program. They include:
- Chief Information Security Officer — Covered entities must designate a qualified individual to act as the chief information security officer (CISO) to oversee the implementation and enforcement of the cybersecurity program. The covered entity may utilize a person employed by a third-party service provider or an affiliate to carry out these responsibilities, so long as someone in a senior position at the covered entity will supervise them. However, the covered entity itself must have sufficient, trained personnel to meet and execute the requirements of the cybersecurity program.
- Annual reports — The CISO must make annual reports to the covered entity’s board of directors, including information regarding the cybersecurity program and policy, any existing cyber threats, the state of the information systems, and any cybersecurity events that have occurred in the preceding year.
- Annual testing and assessments — Covered entities must conduct annual penetration testing — a change from quarterly testing — based on identified risk. Covered entities now must also conduct biannual vulnerability assessments, in addition to monitoring and testing their cybersecurity program “periodically” (as opposed to annually). This is consistent with the new requirement that covered entities set up written policies and procedures regarding risk assessments, and conduct risk assessments periodically instead of annually.
- Audit trail systems — Covered entities are required to maintain a reduced number of “audit trail systems” (down from six to three) based upon the covered entity’s risk assessment. Systems are to be designed to detect “‘cybersecurity events’ that have a ‘reasonable likelihood of materially harming any material part of the normal operations of the covered entity.” A covered entity must retain audit trail system records for five years.
- Third-party service providers — Covered entities must now implement written policies and procedures to ensure system security and the security of nonpublic information. The regulation outlines the types of issues to be covered in these policies and procedures, including guidelines for due diligence, encryption use, and notice requirements in case of a cybersecurity event.
The regulation gives covered entities some flexibility in reporting a “cybersecurity event,” or an event that would “have a reasonable likelihood of materially harming any part of the normal operation(s) of the covered entity[,]” and that would require notice to a governmental body. Covered entities must notify DFS immediately (no later than 72 hours) after a finding that an event has occurred.
Compliance and Enforcement Forecast
The DFS had made little mention of enforcement until recently, coinciding with the deadline (February 8, 2018) for the disclosures certifying compliance with the portions of the regulation that are live so far. In addition, upcoming implementation rounds in March 2018 and September 2018 will cover safeguards such as risk assessments, multifactor authentication, and encryption. Industry stakeholders expect that the regulator will soon begin full-on enforcement. Attorneys have been eyeing the first compliance certifications as an important indicator of how the department intends to enforce the novel cybersecurity requirements it has put in place.
The NY Superintendent Financial Services, Mary Vullo stated: “The DFS compliance certification is a critical governance pillar for the cybersecurity program of all DFS regulated entities” and that “as DFS continues to implement its landmark cybersecurity regulation, we will take proactive steps to protect our financial services industry from cyber criminals.”
The certification, while seemingly routine, requires a great deal of investment and assumption of risk from both companies and the individual they choose to sign off on their compliance. Under the regulation, covered entities must conduct an annual review and assessment of the program’s achievements, deficiencies, and overall compliance with the regulatory standards that are thus far in place, and either the chair of the board of directors or a senior officer is responsible for certifying this compliance through a DFS portal.
The black-and-white nature of the certification process exacerbates the potential for enforcement: Either a company can certify they are in compliance, or they cannot.
The risk of enforcement does not end with the certification process, and is likely to get only more intense as more aspects of the regulation take effect. While the first round of provisions that went live in August raised some questions about the precise scope of the regulation and the exact methods for complying with these rules, attorneys for the most part agreed that the requirements were relatively straightforward for companies that practice in this space.
The next implementation deadline falls on March 1, when companies will need to have in place measures such as the completion of a risk assessment that will help inform their broader cybersecurity plans, multifactor authentication to verify users’ identities, and vulnerability assessments to determine internal and external weaknesses.
Additional requirements such as encrypting sensitive data go into effect in September, and compliance with the entire regulation is expected by March 1, 2019.
Implementation Challenges and Predictions: New York and Beyond
While many of these requirements are quickly becoming industry standards and best practices, companies are likely to face challenges implementing them across their ecosystem and keeping up to date with the requirements.
Aside from the implementation and compliance certification deadlines, financial institutions and insurers are also likely to face the risk of enforcement during examinations, given the superintendent’s revelation last month that the department would be adding questions related to cybersecurity to its opening letters.
Liability risks will also spring up as more data breaches occur, due to the unprecedented 72-hour window for covered entities to report such incidents. While the European Union will have a 72-hour notification deadline once the bloc’s general data protection regulation takes effect in March, none of the breach-reporting laws on the books in 48 U.S. states have a reporting clock shorter than 45 days, and most don’t set a specific timeframe for reporting.
Attorneys had predicted when the regulation was finalized last year that the rules would become a de facto national standard, and industry watchers said this week that they have observed companies rolling out certain mandates across the country instead of just targeting them to their operations within New York.
Given the growing risk of enforcement by the New York regulator and the increasing likelihood of other states following suit, attorneys recommend that companies in this space continue to monitor developments closely at both the state and federal levels and focus on how to best protect their systems from emerging cyber threats.