Accept All Cookies
The New York Department of Financial Services (“DFS”) recently issued a revised version of the cybersecurity rules1 that it first announced in the fall of last year. The rules apply to a wide range of insurance, banking, and financial services companies under the DFS’s supervision and require them to adopt robust cybersecurity programs to protect sensitive and confidential data from theft by cybercriminals. Although the revised rules appear to incorporate some of the comments made by the public and industry groups during a notice and comment period in the fall, they still impose a number of rigorous new cybersecurity requirements that will affect not just companies regulated by the DFS but many of the third party service providers who have access to confidential corporate data or systems. The new rules also leave open the question as to whether the DFS will bring enforcement actions against covered entities – and potentially their employees – for non-compliance.
On September 13, 2016, the DFS first announced and published its proposed cybersecurity rules (the “Original Rules”), which were subject to a notice and comment period.2 On December 28, 2016, the DFS issued a revised version of the rules (the “Revised Rules”), which are subject to a new 30-day notice and comment period.3 The Revised Rules are scheduled to become effective on March 1, 2017 and require “Covered Entities”4 to comply with most of their provisions within six months of their effective date.5
When Governor Andrew Cuomo first announced the Original Rules in the fall, he stated that New York was “leading the nation in taking decisive action” to address potentially costly cybersecurity threats.6 The significant concentration of insurance, banking, and financial services entities in New York ensure that the Revised Rules will play an important role in shaping cybersecurity programs across the nation.
The DFS views it as “critical” that Covered Entities develop and maintain robust cybersecurity programs designed to protect the integrity, confidentiality, and availability of their electronic information resources or “Information Systems”.7 Accordingly, the Revised Rules provide for the following:
The Revised Rules also impose standards for recordkeeping and regulatory reporting, including the reporting of cybersecurity incidents and data breaches to the DFS.
The Revised Rules also focus on the cybersecurity of third party service providers that have access to the sensitive information or computer networks of Covered Entities. Although the Revised Rules do not directly impose cybersecurity obligations on third parties that are not otherwise under the DFS’s supervision, the rules do require that the Covered Entities themselves impose cybersecurity requirements on any third party service provider that has access to the Information Systems or Nonpublic Information of a Covered Entity.30 Among other things, the rules require Covered Entities to (i) understand the cybersecurity risks posed by a third party service provider; (ii) assess the continued adequacy of any third party service provider’s cybersecurity practices; (iii) identify the minimum cybersecurity practices that a third party service provider must meet; and (iv) create guidelines for due diligence and contractual protections with respect to third party service providers used by a Covered Entity, including contractual representations and warranties addressing the adequacy of a third party service provider’s cybersecurity program.31
The Revised Rules reflect New York’s strong belief that “time is of the essence regarding cybersecurity protections.”32 Although New York State is taking the lead in establishing these minimum standards for cybersecurity programs, it is the Covered Entities that bear the responsibility – and possibly liability – for failing to meet these new standards imposed by the proposed regulations.
Indeed, failure to comply with the Revised Rules could result in DFS enforcement actions. The DFS is empowered to take any action that it “deems necessary to … protect users of financial products and services.”33 While it is not clear, at this point, how aggressively the DFS will seek to penalize Covered Entities that fail to comply with the Revised Rules, it is the Superintendent’s view that cybersecurity is one issue where New York should lead.34 In the past, the DFS has imposed steep fines on Covered Entities (and/or demanded the termination of compliance officers) that allegedly failed to implement and maintain appropriate policies and procedures in other contexts – such as with anti-money laundering compliance programs.
Accordingly, the Revised Rules create new areas of uncertainty, and potential liability, for Covered Entities, their boards, their senior officers, and CISOs. Moreover, third party service providers, including professional services firms, may find themselves facing new demands from their clients to adopt appropriate cybersecurity compliance programs.
1 N.Y.S. Dep’t of Fin. Servs., Cybersecurity Requirements for Financial Services Companies (Proposed) – 23 N.Y.C.R.R. Part 500, http://www.dfs.ny.gov/legal/regulations/proposed/rp500t.pdf (hereinafter “Part 500” or “Section 500.__”).
4 The rules define “Covered Entity” as “any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, Insurance Law, or the Financial Services Law [of New York].” Section 500.01(c). Certain entities may qualify for exemptions from the cybersecurity rules including, for example, entities that (i) have fewer than 10 employees or (ii) have less than $5,000,000 in gross annual revenue for each of the last three years. Section 500.19.
5 Sections 500.21 and 500.22.
6 Press Release ¶ 2.
7 Sections 500.00, 500.01(e) and 500.02. The rules define “Information System” as a “discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of electronic information, as well as any specialized system such as industrial/process controls systems, telephone switching and private branch exchange systems, and environment control systems.” Section 500.01(e).
8 “Nonpublic Information” refers to “all electronic information” that is not publicly available and is either (i) business information, the unauthorized disclosure or use of which would have a materially adverse impact on a Covered Entity; (ii) personal identifying information such as a person’s name in combination with other personal data records such as the person’s social security number, account number, or password; or (iii) healthcare-related information. Section 500.01(g).
9 Section 500.02.
10 Section 500.03.
11 Section 500.09(a).
12 Section 500.09(b).
13 Section 500.04(a).
14 Public Comments at 2; see N.Y.S. Regis. at 25.
15 Section 500.04(a).
16 Section 500.04(b).
17 Section 500.12. As defined in Section 500.01(f), Multi-Factor Authentication is the use of at least two different types of authentication factors (e.g., a password and a token) to verify that a user is authorized to access Information Systems.
18 Section 500.15.
19 Section 500.05.
20 Section 500.12.
21 Section 500.15(a).
22 Section 500.15(a)(1) and (2).
23 Section 500.06(a).
24 Section 500.06(b).
25 Section 500.17 and 500.21.
26 Section 500.02(d). The Revised Rules provide that information given by a regulated entity to the DFS enjoys certain protections from public disclosure. See Section 500.18 (“Information provided by a Covered Entity pursuant to this Part is subject to exemptions from disclosure under the Banking Law, Insurance Law, Financial Services Law, Public Officers Law or any other applicable state or federal law”). This provision was added based on concerns expressed by commentators about the confidentiality of notices provided to DFS. See Cybersecurity Requirements for Financial Services Companies, No. DFS-39-16-00008-RP, N.Y.S. Regis. 23, 26 (Dec. 28, 2016), https://docs.dos.ny.gov/info/register/2016/dec28/pdf/rulemaking.pdf#page=23 (hereinafter “N.Y.S. Regis. at __”).
27 The rules define “cybersecurity event” as “any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an Information System or information stored on such Information System.” Section 500.01(d).
28 Section 500.17(a).
29 N.Y.S. Dep’t of Fin. Servs., Assessment of Public Comments for New Part 500 to 23 N.Y.C.R.R. at 4, http://www.dfs.ny.gov/legal/regulations/proposed/rp500apc.pdf; (hereinafter “Public Comments at __”); see N.Y.S. Regis. at 26.
30 Section 500.11(a).
31 Section 500.11(a) & (b).
32 N.Y.S. Regis. at 26.
33 N.Y. Fin. Serv. Law § 301 (2012).
34 “New York’s New Bull on Wall Street,” by C. Lane, WRVO Public Media, October 24, 2016. http://wrvo.org/post/new-york-s-new-bull-wall-street.