Compliance certification for New York cybersecurity regulation has arrived
Published February 15, 2018
On March 1, 2017, New York’s first-in-the-nation cybersecurity regulation took effect, requiring banks, insurance companies, and other financial service institutions regulated by the New York Department of Financial Services (“DFS”) to implement and maintain a cybersecurity program designed to protect consumers’ private data. The new rules require a written policy or policies that are approved by its board or a senior officer; a chief information security officer to help protect data and systems; and controls and plans in place to help ensure the safety and soundness of New York’s financial services industry.
Regulation 23 NYCRR Part 500 (the “Regulation”), applies to a “Covered Entity” defined under Section 500.01(c) as, “any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation, or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.” Certain organizations may qualify for an exemption under Section 500.19 and a limited exemption from certain sections of the Regulation is available to smaller organizations under Section 500.19(a). The exemption (limited) includes companies with:
(1) fewer than 10 employees, including any independent contractors, of the Covered Entity or its Affiliates located in New York or responsible for business of the Covered Entity;
(2) less than $5,000,000 in gross annual revenue in each of the last three fiscal years from New York business operations of the Covered Entity and its Affiliates; or
(3) less than $10,000,000 in year-end total assets, calculated in accordance with generally accepted accounting principles, including assets of all Affiliates. Captive insurance companies may receive an exemption from nearly all requirements under Section 500.19(d).
The Regulation is being implemented in stages, which began on March 1, 2017. Section 500.17 requires that each Covered Entity submit their first annual compliance certification, in writing, no later than February 15, 2018. The written statement covers the prior calendar year, certifies that the entity complies with the applicable requirements of the Regulation, and must be signed by the board chairperson or a senior officer. Each Covered Entity must maintain all records, schedules and data supporting the certification for a period of five years and make it available to the DFS upon request.
The following table provides a summary of the major requirements of the Regulation and applicability to Covered Entities and those filed for a limited exemption:
The notice and confidentiality provisions under Sections 500.17 and 500.18 are applicable to all entities and, as stated above, certain requirements are being phased in over various transitional periods and may not require compliance with specific sections until March 1, 2018, September 3, 2018, or March 1, 2019.
At a minimum, these new rules will require a Covered Entity, including one with a limited exemption, to conduct a periodic risk assessment of its information systems sufficient to properly design, develop and maintain a cybersecurity program and policy. The cybersecurity program should be designed to protect the confidentiality, integrity and availability of a Covered Entity’s information systems. The cybersecurity policy should set forth the Covered Entity’s policies and procedures for the protection of its information systems and non-public information stored on its information systems. The cybersecurity policy should address the following areas to the extent applicable to its operations:
(a) information security;
(b) data governance and classification;
(c) asset inventory and device management;
(d) access controls and identity management;
(e) business continuity and disaster recovery planning and resources;
(f) systems operations and availability concerns;
(g) systems and network security;
(h) systems and network monitoring;
(i) systems and application development and quality assurance;
(j) physical security and environmental controls;
(k) customer data privacy;
(l) vendor and Third Party Service Provider management;
(m) risk assessment; and
(n) incident response.
Finally, as part of its cybersecurity program, each Covered Entity shall limit user access privileges to information systems that provide access to non-public information and shall periodically review such access privileges.
While New York is first out of the gate with state mandated cybersecurity regulations in the financial services sector, we continue to see an increasing number of businesses, in all sectors, subject to some of these same requirements primarily at the request of key customers. It likely won’t be long before other states or regulatory agencies issue their own cybersecurity regulations and they may very well mirror these DFS regulations.
Cyberattacks continue to be on the rise and all organizations should assess how to best protect their client and customer information. The sooner you address your cybersecurity risk management program and evaluate the effectiveness of controls within that program, the better positioned you will be to not only protect sensitive data but also comply with future requirements when it is no longer an option.