New Cybersecurity Regulations from the NYDFS – What do they Mean for Financial Institutions & Their Business Partners, in New York and Beyond?
On March 1, 2017 a new, groundbreaking cybersecurity regulation promulgated by the New York Department of Financial Services (“DFS”) became effective. This new regulation requires organizations under its jurisdiction—banks and insurance carriers, for example—to establish and maintain cybersecurity programs. But unlike current federal law, which allows substantial flexibility for institutions to implement reasonable security safeguards appropriate to their organization, the new DFS regulations dictate specific, prescriptive measures companies must take to detect, prevent, and report cybersecurity threats. The regulation will have far-reaching impact, both geographically and functionally, because it broadly defines the scope of the organizations subject to its requirements. In announcing the rule, DFS Superintendent Maria T. Vullo stated, “New Yorkers must be confident that the banks, insurance companies and the other financial institutions that they rely on are securely handling and establishing necessary protocols that ensure the security and privacy of their sensitive personal information.”
Who is Covered by the NYDFS Regulation?
The regulation applies to “Covered Entities,” which are those companies supervised by the DFS that conduct business in New York and are “operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law” of New York. 23 NYCRR § 500.01(c). Such entities include banks, insurance companies, and financial services institutions.
But the regulation also imposes requirements on “Third Party Service Providers,” which includes any company that “maintains, processes or otherwise is permitted access to” nonpublic information through its provision of services to a Covered Entity. 23 NYCRR § 500.01(n). So any organization doing business with a New York financial institution and accessing its sensitive information—law and accounting firms, legal services providers, e-discovery vendors, IT providers, and so on—must adhere to the cybersecurity provisions set out in the new regulation.
What does this mean for financial institutions and those companies that partner with them to provide services? In the age of big data, and in the face of constantly escalating threats to the security of private information, financial institutions must do their part to protect their consumers’ nonpublic information. And this new regulation extends that obligation to third parties who also touch consumer data. If you are doing business with any Covered Entity you are subject to this regulation, and must adhere to specific requirements set out the rule—regardless of where you are performing that service or what your underlying function may be.
The new DFS regulation reflects the reality we’ve operated under for years: Because many of our financial services clients have long expressed their fear of third party service providers experiencing a cybersecurity breach, they have imposed stringent security assessment requirements on DiscoverReady.
However, New York’s regulation expands those strict requirements to other business partners not typically viewed as “service providers,” such as law firms, which historically were not subjected to rigorous security audits from clients. (For some discussion of this circumstance—and efforts underway to change it—take a look at a few of our prior blog posts “Major Law Firms Under Attack: Successful Hacks and More Threatened“, “Stay Informed: Cybersecurity Alerts for Lawyers“, and “Big Law is Taking Information Security Concerns More Seriously – It’s About Time.”) And of course, providers hired by law firms are also covered, including expert witnesses, consultants, court reporters, etc. Bottom line—any organization dealing with a Covered Entity’s nonpublic information must step up and comply with the regulation’s requirements around cybersecurity.
What Cybersecurity Safeguards Does the Regulation Require?
The DFS rule requires organizations to conduct periodic risk assessments of its information systems, and establish and maintain a comprehensive cybersecurity program based on the findings of those risk assessments. (“All Covered Entities must implement and maintain an internal cybersecurity program to protect the confidentiality, integrity and availability of the Covered Entity’s Information Systems.” 23 NYCRR § 500.02.) The program must include written policies and procedures designed to protect consumers’ private data in its information systems. The regulation also includes certain minimum standards and best practices.
More specifically, the regulation requires Covered Entities to:
- Develop information security policies covering 14 enumerated topics, including data governance and classification, risk assessment, asset inventory and device management, access controls, system security and monitoring, data privacy, business continuity and disaster recovery, and incident response;
- Engage a Chief Information Security Officer (either internally or through a third-party provider), whose responsibilities include reporting at least annually to the board of directors;
- Hire qualified cybersecurity personnel who receive training relevant to cybersecurity risks and maintain knowledge of current threat environments and evolving safeguards and security tactics;
- Provide regular cybersecurity awareness training for all personnel;
- Implement either continuous monitoring, or penetration testing (at least annually) and vulnerability assessments (at least bi-annually);
- Maintain minimum recordkeeping, sufficient to conduct audit trails;
- Implement written cybersecurity policies for third party service providers, and protocols for the due diligence and periodic assessment of the cybersecurity risk posed by third party providers;
- Establish effective access controls, which may include multi-factor authentication or risk-based authentication;
- Destroy non-public information securely and periodically;
- Implement controls for data in transit and at rest, including encryption or compensating controls;
- Establish a written incident-response plan;
- Notify NYDFS of a breach no later than 72 hours after determining that an incident has occurred.
How Does a Covered Entity Demonstrate Compliance?
The regulation provides for transition periods of varying lengths—from 180 days to two years—for organizations to comply with the various provisions. Beginning on February 15, 2018, companies must submit annual certificates of compliance to the Superintendent of the DFS.
However, we strongly urge our clients—and their law firms and other service providers—to begin compliance efforts immediately. When covered entities like financial institutions and insurance carriers choose their panel of law firms, a law firm can differentiate itself through its cybersecurity initiatives. As we’ve already heard from our clients, all things otherwise being equal, this is one differentiator that can determine which firms will receive their business and which will not.