Action item: Banking, insurance, and other financial services companies in New York State must be aware of new comprehensive cybersecurity regulations proposed by the Department of Financial Services that will require covered entities to put in place a cybersecurity program, policies, procedures, and controls. Under the proposed regulations, financial services companies will be required to certify their compliance to the regulations annually to the Superintendent, and to report security incidents to the Superintendent within 72 hours.

The New York State Department of Financial Services (“NYDFS”) recently proposed regulations titled “Cybersecurity Requirements for Financial Services Companies” (the “Proposed Regulations”). The Proposed Regulations are subject to a 45 day comment period before final issuance. Unless there is a change, the regulations will go into effect on January 1, 2017 and “Covered Entities” will have 180 days after that to come into compliance.

The NYDFS has been active in cybersecurity for some time, conducting assessments of banking and insurance companies and issuing related reports. Now they are taking the unusual step of issuing comprehensive cybersecurity requirements for entities operating under a license, registration, certificate, or permit issued under New York State’s banking, insurance, or financial services laws. To date, there are very few comprehensive security regulations in place at either the state or federal level. Financial institutions that are Covered Entities under the Proposed Rule may also be required to comply with other cybersecurity requirements, including under Gramm Leach Bliley, the Safeguards Rule, or Dodd-Frank.

The Proposed Regulations are broad, and cover “Non-Public Information” or “NPI.” NPI is limited to electronic information, but is defined expansively to include:

1. Any business related information of a Covered Entity the tampering of which, or unauthorized disclosure, access, or use of which, would cause a material adverse impact to the business, operations, or security of the Covered Entity;
2. Any information that an individual provides to a Covered Entity in connection with the seeking or obtaining of any financial product or service from the Covered Entity, or is about an individual resulting from a transaction involving a financial product or service between the Covered Entity and an individual, or that a Covered Entity otherwise obtains about an individual in connection with providing a financial product or service to that individual;
3. Any information, except age or gender, that is created by, derived or obtained from a health care provider or an individual and that relates to the past, present, or future physical, mental, or behavioral health or condition of any individual or member of the individual’s family or household, or from the provision of health care to any individual, or from payment for the provision of health care to any individual; and
4. Any information that can be used to distinguish or trace an individual’s identity, including name, social security number, date of birth, place of birth, mother’s maiden name, biometric records, any information that is linked or linkable to an individual, including medical, educational, financial, occupational, or employment information, information about an individual used for marketing purposes, or any password or authentication factor.

It is important to note that the definition of NPI goes well beyond the definition of “Private Information” under New York State’s security breach notification requirements contained in the New York General Business Law, which is limited to sensitive personal information such as name plus social security number, driver’s license number, or credit card number. Accordingly, the incident response process and notification requirements set forth in the Proposed Regulations apply to a very broad category of data, including purely business information about the Covered Entity, and do not include any exception for de-identified individual data. Further, the definition of a “Cybersecurity Event” under the Proposed Regulations is also broad and includes “any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt, or misuse any Information System or information stored on such Information System.” The event need not be successful to be considered a Cybersecurity Event. So, Covered Entities may be in the position of having to notify the Superintendent of a Cybersecurity Event that involves an unsuccessful attempt at access to its own business-related information that does not include any sensitive personal information.

The Proposed Regulations require Covered Entities to put in place a cybersecurity program, policies, procedures, and controls, none of which are terribly surprising if you have followed what the Federal Trade Commission or the Consumer Financial Protection Bureau consider “reasonable security.” The amount of detail set forth in the Proposed Regulations may come as a relief to some entities who prefer to know exactly what is required of them rather than trying to interpret the vague and evolving concept of “reasonable security.” However, some of the language goes a little too far when the Proposed Regulations, for example, state that cybersecurity functions must be designed to mitigate “any negative effects” of a Cybersecurity Event. (It may not be practical nor possible to mitigate all negative effects of a Cybersecurity Event.)

The following outlines the substantive requirements of the Proposed Regulations in detail.

Cybersecurity Program: Each Covered Entity must have a cybersecurity program that is designed to ensure the confidentiality, integrity, and availability of the Covered Entity’s electronic information systems. The cybersecurity program must be designed to perform at least the following core functions:

• Identify internal and external cyber risks, including by identifying the NPI stored on the information systems, the sensitivity of such NPI, and how and by whom such NPI may be accessed;
• Use defensive infrastructure and implementation of policies and procedures to protect the information systems and the NPI stored on those systems from unauthorized access, use, or other malicious acts;
• Detect Cybersecurity Events;
• Respond to identified or detected Cybersecurity Events to mitigate any negative effects;
• Recover from Cybersecurity Events and restore normal operations and services; and
• Fulfill all regulatory reporting obligations.

Cybersecurity Policy: Each Covered Entity must have a written policy for the protection of its information systems and the NPI stored on those systems, which addresses:

• Information security
• Data governance and classification
• Access controls and identity management
• Business continuity and disaster recovery planning and resources
• Capacity and performance planning
• Systems operations and availability concerns
• Systems and network security
• Systems and network monitoring
• Systems and application development and quality assurance
• Physician security and environmental controls
• Customer data privacy
• Vendor and third party service provider management
• Risk assessment
• Incident response

At least once annually, the policy must be reviewed by the Covered Entity’s Board of Directors or similar governing body and must be approved by a senior officer of the Covered Entity.

Chief Information Security Officer: Each Covered Entity must designate a Chief Information Security Officer (“CISO”) responsible for overseeing and implementing the Covered Entity’s cybersecurity program and enforcing its cybersecurity policy. This requirement can be met by using a third party vendor as an external CISO, but there must be appropriate oversight of the external CISO by the Covered Entity. The CISO must at least bi-annually report to the Covered Entity’s Board of Directors or governing body and the report must be made available to the NYDFS superintendent upon request.

Penetration Testing and Vulnerability Assessments: The cybersecurity program must include penetration testing at least annually, and vulnerability testing at least quarterly.

Audit Trail: Covered Entities are required to maintain an audit trail system that (i) tracks and maintains data that allows for the complete and accurate reconstruction of all financial transactions and accounting necessary to enable the Covered Entity to detect and respond to a Cybersecurity Event, (ii) tracks and maintains data logging of all privileged authorized users’ access to critical systems, (iii) protects the integrity of data stored and maintained as part of the audit trail from alteration or tampering, (iv) protects the integrity of hardware from alteration or tampering, including by limiting electronic and physical access permissions to hardware and maintaining logs of physical access to hardware that allows for event reconstruction, (v) logs system events including access and alterations made to the audit trail systems by the systems or by an authorized user, and all system administrator functions performed on the systems, and (vi) maintains records produced as part of the audit for not fewer than six years.

Access Privileges: Covered Entities must limit access privileges to their information systems that provide access to NPI solely to those individuals who require such access in order to perform their responsibilities and must periodically review such access privileges.

Application Security: Covered Entities must have written procedures, guidelines, and standards (to be reviewed annually) designed to ensure the use of secure development practices for in-house developed applications utilized by the Covered Entity, as well as procedures for assessing and testing the security of externally developed applications used by the Covered Entity.

Risk Assessment: At least annually, each Covered Entity must conduct a risk assessment of its information systems, carried out in accordance with written policies and procedures, and the assessment must be documented.

Cybersecurity Personnel and Intelligence: Each Covered Entity must employ cybersecurity personnel sufficient to manage its cybersecurity risks and to perform the core cybersecurity functions specified in the Proposed Regulations. The Covered Entity may use a qualified third party.

Third Party Information Security Policy: Covered Entities must implement written policies and procedures designed to ensure the security of their Information Systems and NPI that are accessible to, or held by, third parties that they do business with. Such policies and procedures must address things like:

• Identification and risk assessment of third parties;
• Minimum cybersecurity practices required to be met by third parties;
• Due diligence processes used to evaluate adequacy of cybersecurity practices; and
• Periodic assessment (at least annually) of third parties and continued adequacy of their cybersecurity practices.
  • Note that contracts with third parties must include identity theft protection services for customers materially impacted by a Cybersecurity Event that results from the third party service provider’s negligence or willful misconduct.

  Multi-factor Authentication: Each Covered Entity must require multi-factor authentication for any individual accessing the ­Covered Entity’s internal systems or data from an external network and for privileged access to database servers that allow access to NPI, and require risk-based authentication in order to access web applications that capture, display, or interface with NPI.

  Limitations on Data Retention: Covered Entities must have policies and procedures for the timely destruction of NPI when it is no longer necessary for the provision of products or services for which the NPI was provided to the Covered Entity, except when required to be retained by law or regulation. Note that it is not clear from the Proposed Regulations whether this would allow records to be retained for purposes of litigation.

  Training and Monitoring: Covered Entities must implement risk-based policies and procedures to monitor the activity of authorized users and detect unauthorized access or use of, or tampering with, NPI. All personnel must attend regular cybersecurity awareness training sessions that are updated to reflect risks identified by the Covered Entity in its annual risk assessments.

  Encryption of NPI: Covered Entities must encrypt NPI both in transit and at rest. If encryption of NPI in a system is currently infeasible, the Covered Entity may instead secure the NPI using appropriate controls reviewed and approved by the Covered Entity’s CISO, but these alternative security measures must not be used for more than one year after the effective date for data in transit, or for more than five years after effective date for data at rest.

  Incident Response Plan: As part of its cybersecurity program, each Covered Entity must establish a written incident response plan designed to promptly respond to and recover from a Cybersecurity Event affecting the confidentiality, integrity, or availability of the Covered Entity’s information systems or the continuing functionality of any aspect of the Covered Entity’s business. The plan must address: (i) the internal process for response, (ii) the goals of the response plan, (iii) the definition of clear roles, responsibilities, and levels of decision-making authority, (iv) external and internal communications and information sharing, (v) remediation of any identified weaknesses in the entity’s information systems and associated controls, (vi) documentation and reporting regarding Cybersecurity Events and related incident response activities, and (vii) the evaluation and revision of the incident response plan following a Cybersecurity Event.

  Notices to Superintendent: Each Covered Entity must notify the Superintendent of any Cybersecurity Event that has a reasonable likelihood of materially affecting the normal operation of the Covered Entity or that affects NPI. The Covered Entity must notify the Superintendent as promptly as possible, but in no event later than 72 hours after becoming aware of such Cybersecurity Event. By January 15 each year starting in 2018, each Covered Entity must submit to the Superintendent a written statement certifying its compliance with the requirements of the Proposed Regulations.

  Limited Exemption: Covered Entities with fewer than 1000 customers, less than $5 million in annual gross revenue, and less than $10 million in year-end total assets will be exempt from some of the regulations, but must still comply with the following substantial and challenging requirements:

  • Chief Information Security Officer
  • Penetration testing and vulnerability assessments
  • Audit trail
  • Application security
  • Cybersecurity personnel and intelligence
  • Multi-factor authentication
  • Training and monitoring
  • Encryption of NPI
  • Incident response lan

  Unlike large, public companies that are accustomed to audits and cybersecurity regulations, albeit state or federally mandated entities that fall under the Limited Exemption likely do not have many of these requirements in place. These entities will undoubtable face fiscal and human capital challenges in implementing what are sure to be costly and time consuming regulations.

  Interested parties will likely comment on the Proposed Regulations and Blank Rome’s Cybersecurity and Data Privacy Group will be watching to see if any changes are made before the January 1, 2017 compliance deadline. We stand ready to help clients understand what the Proposed Regulations mean for your organization and to work with them to comply.