The New York Department of Financial Services (NYDFS) announced today a revised regulation that will require all institutions subject to NYDFS supervision to establish and maintain a cybersecurity program meeting "certain regulatory minimum standards." All financial institutions under NYDFS jurisdiction—including banks, state-licensed lenders, mortgage industry companies, insurance companies, and money services businesses—should carefully assess whether existing security measures will need to be enhanced and what additional steps may need to be taken to satisfy the requirements in the proposed rules. Third party service providers to these institutions should also prepare for compliance requirements that will likely be imposed downstream from these covered entities.

The revised regulation will become final and effective on March 1, 2017 (a delay of two months from the originally proposed January 1, 2017, effective date). The first annual certification will now be due by February 15, 2018. The revised regulation also establishes tiered transition periods for covered entities to comply with the new requirements:

  • Six months: All provisions not specified in the following transition periods.

  • One year: CISO reporting to the board of directors (500.04(b)), penetration testing and vulnerability assessments (500.05), risk assessments (500.09), multi-factor authentication (500.12), and cybersecurity awareness training (500.14(a)(2)).

  • 18 months: Audit trails (500.06), application security (500.08), data retention (500.13), policies and procedures to monitor the activity of authorized users (500.14(a)(1)), and encryption (500.15).

  • Two years: Third party service provider security policy (500.11).

Many of the requirements set forth in the initial version of the proposed regulation, released on September 13, 2016 (summarized in our prior alert available here), remain unchanged. NYDFS made some significant concessions, however, in response to more than 150 public comments that were submitted. NYDFS released an "Assessment of Public Comments" with the revised regulation, providing some insight into the changes made in response to the public comments. Some of the most pertinent revisions include:

  • Small business exemption: Creation of a "limited" small business exemption for covered entities that have less than 10 employees, $5 million in gross annual revenue, or $10 million in year-end total assets.

  • Risk-based assessments: Clarification that the revised regulation was intended to be linked to a covered entity's risk assessment, such as the encryption and multi-factor authentication mandates. However, NYDFS cautions that a risk assessment should not be used to justify a cost-benefit analysis of acceptable losses related to cybersecurity risks. The term "risk assessment" has been added as a new defined term in the revised regulation. The revised regulation requires that risk assessments be performed "periodically," instead of annually (as originally proposed).

  • Audit trails: Reduction in the level of prescriptive requirements related to maintaining audit trails, including reducing the covered period from six to five years and focusing on material cybersecurity events.

  • Nonpublic information: Significant narrowing of the definition to conform more closely to the definition in the New York breach notification statute. The revised regulation provides an exemption for any covered entity that does not directly or indirectly control, own, access, generate, receive, or possess any nonpublic information.

  • Chief Information Security Officer (CISO): Clarification that so long as a covered entity has designated a qualified individual to perform the functions of a CISO, no individual is required to have this specific title or be dedicated exclusively to CISO activities. The designated individual now must provide a written, more narrowly focused, annual (not bi-annual) cybersecurity report to the board of directors or governing body.

  • Third party service providers: Amendment of the proposed regulation to clarify that any requirements on third party service providers should be based on the covered entity's risk assessment. Thus, covered entities will not be required to audit the systems of all third party service providers. The language requiring certain "preferred provisions" to be added to vendor contracts has been removed and replaced with a requirement to establish relevant guidelines and/or contractual protections. The term "third party service provider" has been added as a new defined term in the revised regulation.

  • Affiliates: Authorization of covered entities to satisfy the requirements of the revised regulation if covered by the cybersecurity program of an affiliate, including the affiliate's CISO.

  • Cybersecurity event reporting: Retention of the 72-hour reporting timeframe for notifying NYDFS of a "cybersecurity event." Addition of a "materiality" qualifier to those provisions related to responding to and reporting of cybersecurity events. The revised notification requirement applies only to:

    • Cybersecurity events of which notice is required to be provided to any government body, self-regulatory agency, or any other supervisory body, and
    • Cybersecurity events that have a reasonable likelihood of materially harming any material part of the normal operations of the covered entity.

Importantly, the revised regulation includes new language addressing the confidentiality of any reporting submitted to NYDFS about cybersecurity events.

Public comments may be filed on the revised regulation for 30 days from today's publication date. NYDFS will consider as part of its final review any new comments that were not previously raised during the original comment period, which ended on November 14, 2016. As NYDFS has proven receptive to making changes based on public comments, financial institutions should carefully consider whether to file comments during the next 30 days.

Ballard Spahr will host a webinar on the revised rules on January 12, 2017. Click here to register.

Attorneys in Ballard Spahr's Consumer Financial Services and Privacy and Data Security Groups regularly advise financial services companies on compliance with the quickly expanding intersection between consumer financial services, privacy, and data security laws. We assist with the development and review of risk-based information security programs, including risk assessments and incident response plans. Our cross-disciplinary team of attorneys helps clients around the world mitigate cyber risk, investigate, and respond to cyber incidents, and navigate post-incident enforcement, compliance, and litigation matters.

Copyright © 2016 by Ballard Spahr LLP.
(No claim to original U.S. government material.)

All rights reserved. No part of this publication may be reproduced, stored in a retrieval system, or transmitted in any form or by any means, including electronic, mechanical, photocopying, recording, or otherwise, without prior written permission of the author and publisher.

This alert is a periodic publication of Ballard Spahr LLP and is intended to notify recipients of new developments in the law. It should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult your own attorney concerning your situation and specific legal questions you have.