President & Managing Director
WHITE PAPER
On December 28, 2016, the New York Department of Financial Services
(DFS) announced that it had revised its proposed cybersecurity regulations in
response to public comments that they would be too burdensome, particularly on
smaller institutions. The proposed rules, which were initially announced on
September 13, 2016, and set to take effect on January 1, 2017, were billed as a
“first-in-the-nation regulation” to protect New York residents from
cyberattacks.
The “Cybersecurity Requirements for Financial Services Companies (“Regulation”)
is promulgated through Part 500 of Title 23 of the Official Compilation of
Codes, Rules and Regulations of the State of New York, and takes effect upon
publication in the State Register.[i]
These guidelines would require banks, insurers and other financial
services companies regulated by the DFS to set up a cybersecurity program aimed
at protecting consumer information from cyberattacks. The revised regulation
eases certain reporting and encryption requirements, and exempts small
institutions from complying with certain sections of the rule.
The Regulation, as revised, is set to take effect on March 1, 2017. There
is a transitional period, which is 180 days from the effective date of March 1st,
with implementation timeframes layered in as exceptions granted for certain
requirements, from 12 months to 18 months to 24 months. Covered entities will
be required to annually prepare and submit to the DFS a Certification of
Compliance[ii]
with the New York State Department of Financial Services Cybersecurity
Regulations, commencing February 15, 2018.
In this article, I will provide a high-level overview of these
guidelines. This outline is not meant to be comprehensive. However, I will hit
on several salient areas of interest. Expect these requirements to become a
model for examination and enforcement in most other states. Lenders Compliance
Group has provided risk assessments for cybersecurity, information security,
and information technology based on the Federal Financial Institutions
Examination Council's (FFIEC) procedures. So, my firm has experience in
cybersecurity risk assessments. Given that familiarity, we now are providing an
overlay for the DFS cybersecurity requirements that are promulgated in the
Regulation.
Cybersecurity Program
Each covered entity – that is, any person operating under or required
to operate under a license, registration, charter, certificate, permit,
accreditation or similar authorization under the New York State Banking Law,
the Insurance Law or the Financial Services
Law – must maintain a cybersecurity program designed to protect the
confidentiality, integrity and availability of the covered entity’s Information
Systems.
The Regulation defines a “cybersecurity event” as any act or attempt,
successful or unsuccessful, to gain unauthorized access to, disrupt or misuse
an information system or information stored on such information system. For
purposes of this regulation, an information system is a “discrete set of
electronic information resources organized for the collection, processing,
maintenance, use, sharing, dissemination or disposition of electronic information,”
as well as any specialized system such as industrial and process controls
systems, telephone switching and private branch exchange systems, and
environmental control systems.
A risk assessment must be conducted by the covered entity and the
cybersecurity program must be based on that risk assessment and also be designed
to perform the following core cybersecurity functions:
- identify and assess internal and external cybersecurity risks that may threaten the security or integrity of all electronic information that is not publicly available information, known as Nonpublic Information (“NPI”), stored on the covered entity’s information systems;
- use defensive infrastructure and the implementation of policies and procedures to protect the covered entity’s information systems, and the NPI stored on those information systems, from unauthorized access, use or other malicious acts;
- detect cybersecurity events;
- respond to identified or detected cybersecurity events to mitigate any negative effects;
- recover from cybersecurity events and restore normal operations and services; and
- fulfill applicable regulatory reporting obligations.
With respect to covered entities that have affiliates, the requirements
of the Regulation permit adoption of a cybersecurity program maintained by an affiliate,
provided that the affiliate’s cybersecurity program covers the covered entity’s
information systems and NPI and meets the requirements of the Regulation. An
affiliate is any Person that controls, is controlled by or is under common
control with another Person. For purposes of the Regulation, control means the
possession, direct or indirect, of the power to direct or cause the direction
of the management and policies of a Person, whether through the ownership of
stock of such Person or otherwise.
