In a surprising turn of events, the New York State Department of Financial Services (“DFS”) announced on December 28 significant changes to its cybersecurity regulation in response to industry concerns that the agency’s original proposal was too prescriptive, and did not allow enough time for compliance.
In September of 2016, DFS had proposed stringent cybersecurity requirements aimed at protecting “Nonpublic Information” within the custody or control of banks, insurers, and other financial institutions (“Covered Entities”) from cyberattacks by imposing new rules and detailed cybersecurity controls (the “Regulation”). Our more detailed outline of those requirements is available here.
On December 28, however, the DFS announced that it had eased many of the initially-proposed requirements after reviewing industry concerns during the public comment period. Besides extending the time Covered Entities have to come into compliance with the Regulation, the DFS’s updates include refinements to the initial controversial provisions. We provide select highlights of these changes below and a link to the proposed Regulation can be found here.
- Nonpublic Information. Along with certain business-related and health information, the broad definition of Nonpublic Information had previously included any “information that can be used to distinguish or trace an individual’s identity” and certain transactional data related to individuals. The updated Regulation still covers business-related and health information, but narrows the other categories to “name, number, personal mark, or other identifier” in combination with any of the following elements: “(i) social security number, (ii) drivers’ license number or non-driver identification card number, (iii) account number, credit or debit card number, (iv) any security code, access code or password that would permit access to an individual’s financial account; or (v) biometric records.” This aligns to existing federal and state laws in the US requiring data breach notification.
- Encryption. Initially, Covered Entities were required to encrypt Nonpublic Information held or transmitted both in-transit and at rest. Under the revised Regulation, however, the requirement for Covered Entities to encrypt Nonpublic Information is now linked to their own risk assessment. Where the Covered Entity determines that use of compensating controls implemented as an alternative to encryption are adequate, the updated Regulation only requires that it evaluate the effectiveness of these controls and the feasibility of encryption at least annually.
- Third Party Service Providers. The Regulation made several changes to the requirements related to certain service providers that maintain, process, or access Nonpublic Information in providing services to Covered Entities (“Third Party Service Providers”). These changes include the addition of a limited exception for certain Covered Entities that are excused from developing a Third Party Service Provider policy if they act as an agent, employee, representative or designee of another Covered Entity whose policy they follow.
- Multi-Factor Authentication. The previous version of the Regulation required multi-factor authentication in a number of instances, which has been replaced with a more general obligation to “use effective controls” (which may include multi-factor or risk-based authentication) to protect Nonpublic Information. The revised Regulation, however, only requires multi-factor authentication (or an equivalent or more secure control) for individuals accessing internal networks from an external network.
- Cybersecurity Event Notification. The initial proposal required Covered Entities to notify DFS of certain cybersecurity events as promptly as possible and within 72 hours after the business becomes aware of the event. The revised requirement now calls for Covered Entities to notify the DFS of only those events that may “materially harm” the Covered Entity’s normal operations.
- Effective Date. The effective date for the Regulation was moved back from January 1, 2017, to March 1, 2017. Further, Covered Entities must begin to submit their certification of compliance to DFS on February 15, 2018, 30 days later than previously proposed.
- Transitional Period. Along with the 180 day period for Covered Entities to come into compliance after the effective date, the revisions specify transitional periods of a year or more for certain compliance measures. For example, Covered Entities will now have a full year to comply with the Regulation’s requirements regarding penetration testing and vulnerability assessment and two years to address requirements relating to Third Party Service Provider security policies.
The Regulation, published in the New York State Register on December 28, will be finalized following a 30 day notice and public comment period. If you have any questions about this development, please do not hesitate to reach out to one of the Contact Partners listed below.
Contributors: Brian Hengesbaugh, Amy de La Lama, Michael Egan, Harry Valetk and Jeff Dunifon