New York Refines Proposed Cybersecurity Regulations for Financial Institutions
Financial Institutions Alert 01/19/17 James I. Kaplan
In early October 2016, we discussed the New York State Department of Financial Services’ (NYDFS) proposed cybersecurity regulations for financial institutions in response to large-scale data breaches. The rules originally required covered entities to implement a cybersecurity program along with a cybersecurity policy, hire a Chief Information Security Officer (CISO), conduct oversight of third party service providers, and various additional requirements. The regulations were to go into effect on January 1st; however, numerous comments prompted NYDFS to propose new revised regulations which will now be in effect on March 1, 2017. The comment period for the new proposal ends January 28, 2017.
We described in our previous alert that the original proposed regulations took a blanket approach and would invite criticism, which they did. Fortunately, NYDFS heeded many of the comments and was persuaded to narrow the parameters of some aspects of the regulations. For instance, the regulations apply to all “nonpublic information,” which was originally defined broadly to include almost all information provided by individuals when seeking a financial or insurance product, but is now significantly narrowed only to information which can be used to identify an individual. Business related nonpublic information has not changed, and is still defined to include any information, if tampered with or improperly disclosed, that would cause a material adverse impact.
Other changes appear to provide some immediate logistical relief to covered entities. For example, certain requirements can now be shared among affiliates, such as the CISO (who may also be employed by a third party) and the cybersecurity program requirement, providing consolidated flexibility across organizations. The original rules had contemplated each of these requirements to be met by each covered entity individually. Other changes from the prior iteration of the regulations involve data encryption, where originally, encryption was required at all times (in transit, and at rest), but now, only when “feasible.” Finally, the 72-hour notice of breach requirement has been relaxed to require entities to provide notice within 72-hours of determining whether a cybersecurity event has occurred, rather than within 72-hours of the event actually occurring as in the prior version of the regulations.
The overall scheme of the regulations remains the same, with some fine tuning around the edges as discussed. Covered entities still need to develop a cybersecurity policy and program, hire a CISO, conduct vendor oversight, and fulfill additional requirements, such as annual penetration testing and employee training, to name a few. In addition to flexibility among the finer points of the regulations, NYDFS has extended some of the compliance timeframes. Covered entities will have until September 2017 to comply with the new regulations, but additional time to roll out other aspects, including but not limited to, employee training and reporting to the board (March 2018), data policies and encryption (September 2018), and third party service provider oversight policies (March 2019).
As New York takes the lead here, we note that various federal agencies are set to implement their own rules later this year. While there is much uncertainty due to the new administration and its impact on federal regulators, we know what New York will do, and more importantly, that the state has listened to some industry concerns.