In September 2016, New York Governor Andrew Cuomo proposed regulations that require certain financial institutions to implement a cybersecurity program. After receiving comments on the original proposed regulation, the New York State Department of Financial Services (DFS) revised the proposed regulation in December, and the 30-day notice and comment period required before the regulation can go into effect has now ended.
The DFS has updated its proposed regulation on cybersecurity requirements for financial services companies, and some changes could work in favor of so-called “Covered Entities.” However, companies impacted by the cybersecurity regulation should be aware the revisions will not lessen the burdens or decrease the regulatory risks created by the new cybersecurity obligations. In fact, some of the changes could make it more difficult for companies to demonstrate compliance and that they acted in a reasonable manner after a cybersecurity incident occurred.
Two key dates were changed. The regulation’s effective date was pushed back to March 1, 2017 (from Jan. 1, 2017), and the first date of compliance certification was pushed back to Feb. 15, 2018.\
Other important changes include:
- Re-emphasizing the role the “periodic risk assessment” required by Section 500.09 will play in determining compliance.
- Clarified that a company may adopt an Affiliate’s cybersecurity program, including a definition of a “Third Party Service Provider”.
- Fine-tuned the definition of “Nonpublic information” to more closely track traditional definitions of “personally identifiable information.”
The regulation still requires a 72-hour notification to DFS after a “cybersecurity event” has occurred, although it is more sharply defined to cover reportable events that have a reasonable likelihood of “materially harming” any part of the Covered Entity’s normal operations.
What’s the Same:
Overall, the DFS cybersecurity regulation contains the same key cybersecurity obligations, including:
- Maintaining cybersecurity policies and programs based on a risk assessment
- Conducting regular penetration testing, training, audits, third party security programs
- Regular purging of data
Also remaining in place is the requirement that a Covered Entity’s senior management – including the board of directors – review the cybersecurity program, and that a certification of compliance be filed with DFS.
These changes will affect how companies come into compliance with the DFS cybersecurity rule, but they should not be viewed as materially lessening a Covered Entity’s burdens or the possible consequences of a finding that the Covered Entity was not in compliance. There is enough leeway in the revised DFS cybersecurity regulation for New York officials to make an ex post facto finding that the Covered Entity’s program was insufficient, that improper internal oversight was being utilized, or even that its Risk Assessment was “sufficient.”
What’s Next – Getting Ahead of Regulatory Risk
Organizations must start getting ready now to meet the regulation. Third parties can assist in quickly completing many requirements such as security program (gap/risk) assessments, penetration testing, vulnerability assessments, training, and tabletop exercises.
However, the majority of organizations may struggle with complex time-consuming issues like: holistic network visibility, monitoring, detection, interpreting the latest threat intelligence for organizational defense, incident response, data classification and identification of the high value assets this data resides in, and third party exposure and risk.
The complex issues can also be accelerated by partnering with experienced vendors, however, they involve extensive reach back into the business lines and senior management, architectural changes, technology investments and “hard to find capable” resources.
Additionally, after the programs are implemented and the true risk picture finally emerges, business risk decisions will need to be made throughout the organization. These decisions will need to be well-documented to withstand the scrutiny of the regulatory agencies into the decision making process. This can and has been accomplished before in many organizations after a breach or in-depth assessment, however, it takes planning and time.
What does that mean then for Covered Entities? Practically speaking, now more than ever they need to create some level of confidence internally that their program has been well-designed, vetted, and can withstand regulatory scrutiny. Key factors for the leadership of Covered Entity’s to consider include using strong and reputable third party security vendors, carefully documenting decisions as to why certain measures were taken (or not taken), and taking advantage of liability protections (if applicable) such as the Department of Homeland Security’s SAFETY Act program.
To be clear, nothing can stop DFS from launching an invasive and expensive investigation into a Covered Entity after a “Cybersecurity Event” has occurred. However, with careful preparation and assistance from market-leading partners, Covered Entities may stand a far better chance of pushing back against DFS allegations of non-compliance or, even worse, negligence. Your legal counsel can help you determine your compliance requirements.
For inquiries or more information about the updated proposed New York State DFS cyber regulations, please email us at CyberRisk@FireEye.com.
 Covered Entity means any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.