In an effort to combat the growing prevalence of large-scale corporate cyberattacks, the New York Department of Financial Services (“NYDFS”) is rolling out a revamped cybersecurity regulation for financial services companies to take effect TODAY (March 1, 2017). This ambitious regulation is broadly drafted and carries a heavy compliance burden intended to protect consumers and ensure the safety and soundness of New York State’s financial services industry. Even if you are not directly in banking or insurance, read on to see how these regulations may affect your company.
Overview of the regulation
The detailed cybersecurity law arrives after some initial delays and is the result of multiple rounds of revisions and extensive input from financial industry groups. The text of the Cybersecurity Requirements for Financial Services Companies (the “Regulation”) is available here.
With very few exceptions, banks, insurers and financial service institutions conducting business in New York and regulated by NYDFS are “Covered Entities” under the Regulation and will be required among other things to:
- Designate a chief information security officer (a “CISO”);
- Create an intensive response plan for security breaches;
- Conduct annual self-evaluations of their cybersecurity vulnerabilities and develop corresponding updated security plans;
- Require that employees go through cybersecurity training; and
- Report cybersecurity events to the state within 72 hours of discovery.
Certain entities are exempt from the new requirements, in particular (i) organizations with fewer than 10 employees located in New York or responsible for the business of the Covered Entity, (ii) organizations that make less than $5 million in gross annual revenue from New York business operations in each of their last three fiscal years, or have less than $10 million in year-end total consolidated assets, (iii) charitable annuity societies or risk retention groups not charted in New York, and (iv) any accredited reinsurer or certified reinsurer provided these organizations do not otherwise qualify as a Covered Entity.
The Regulation is poised to have a major impact on both New York’s financial institutions as well as organizations outside the finance industry. Due to the obligations imposed on third party service providers that have access to the nonpublic information of Covered Entities (see Section 500.11), any number of IT service vendors, law firms, accounting firms, and a host of other service providers will be confronted with new requirements. These third party service providers will need to implement multifactor authentication and encryption of nonpublic information, and inform their customers subject to the Regulation of a cybersecurity event impacting that customer’s information systems or non-public information. Covered Entities themselves will also be tasked with writing cybersecurity policies and procedures for, and conducting periodic risk assessments of, their third-party vendors. Altogether, we can expect to see a significant impact across various industries ripple across large institutional clients and their network of service providers.
While the new requirements have been lauded for pushing a proactive cybersecurity framework – one that is comparable to the best practices established by the National Institute of Standards and Technology – they have also prompted widespread criticism throughout the revision process. Experts have expressed concern over previous versions’ lack of “flexibility” in permitting companies to tailor assessments and notifications to their unique vulnerabilities. Many also worry that smaller banks, credit unions, and insurers may not have adequate resources to comply with the CISO mandate, policy-writing, and technological updates required despite the fact that the compliance window for various aspects of the Regulation varies from 180 days to 2 years. Ultimately, however, supporters of the Regulation emphasize that it is a significant step toward creating a more unified strategy against the threat of potentially devastating cybersecurity hacks, and should serve as a model for other states and industries going forward. The purpose is clear and beneficial. The Regulation seeks to both define good security practices and ensure that the Board is responsible for the implementation of those security practices.
One big problem: So many rules
While the NYDFS’s regulatory overhaul represents a significant step for industry-specific cybersecurity protocols, it may impact the implementation of emerging rules in other industries. A primary example is the anticipated final version of the National Association of Insurance Commissioners’ (“NAIC”) cybersecurity model law, which could implicate New York insurance agencies and brokers that must also comply with the Regulation.
The NYDFS and NAIC standards aim to offer greater uniformity for regulating consumer privacy and institutional cybersecurity. However, the prospect that financial services companies or insurers might need to navigate two or more regulatory regimes raises significant concerns about impacts on profitability and cost to consumers. Unfortunately there is no easy path to comprehensive and consistent regulation and there continues to be no indication that the federal government intends to step in to supplant state regulation with broad national standards.
While the NYDFS regulation takes effect today, the latest public comment period for the NAIC’s model law ended on September 16, 2016, and a new draft of the law is anticipated in early 2017. We will keep you posted on these and other emerging regulations as states and industries continue to shoulder the load in the cybersecurity arena.
Covered Entities and third-party service providers to Covered Entities should not lose any time in planning for compliance. We recommend that organizations start reviewing existing information security programs and conduct a risk assessment/gap analysis. Smaller organizations without well-established information security programs should begin yesterday to develop a plan for complying with the Regulation. A comprehensive review of internal practices will help pave the road for compliance with the Regulation, as well as whatever may be coming in the future.