The New York Department of Financial Services (“DFS”) recently issued proposed cybersecurity requirements for financial services companies. The proposed regulation would be codified at 23 NYCRR 500, and would be effective March 1, 2017.
This action, which places New York squarely in the vanguard of US regulators, will have wide-ranging effects given the number of banks, insurance companies, and financial services companies that are licensed in New York. It will also affect companies that do business with those regulated companies, referred to in the proposed regulation as “Third Party Service Providers,” whether or not the business affiliates are otherwise required to be licensed by the DFS. Some Third Parties that may be affected are law firms, accounting firms, and consulting firms.
The proposed regulation mandates minimum standards for data security by Covered Entities. Covered Entities are any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law, or the Financial Services Law.
The DFS would require, among other things, that each Covered Entity undertake the following:
- Maintain a cybersecurity program designed to protect the confidentiality, integrity, and availability of information systems;
- Implement and maintain a written policy or policies setting forth procedures for the protection of information systems and Nonpublic Information stored on those systems;
- Designate a qualified Chief Information Security Officer;
- Monitor and test the cybersecurity protections for vulnerabilities;
- Maintain records for 5 years sufficient to provide an audit trail to reconstruct transactions and cybersecurity events;
- Conduct periodic risk assessments;
- Implement policies to protect Nonpublic Information from authorized access by limiting data retention through destruction policies as permitted, training and monitoring, and encryption of data;
- Implement written policies and procedures designed to ensure the security of Information Systems and Nonpublic Information that is accessible to or held by Third Party Service Providers;
- Establish a written incident response plan;
- File a Certificate of Compliance with the superintendent annually.
In addition, the covered entity must notify the superintendent as promptly as possible, but in no event later than 72 hours, if it is determined that a cybersecurity event has occurred that would require notification to a governmental entity or regulatory body and the event has a reasonable likelihood of materially harming the normal operation of the Covered Entity.
There is a limited exemption for Covered Entities with fewer than 10 employees, or less than $5,000,000 gross annual revenue in each of the last three years, or less than $10,000,000 in year-end assets (including all affiliates). Employees, agents, and representatives who are Covered Entities need not have their own plan if they are covered by the plan of a Covered Entity. Covered Entities that do not control information systems or possess Nonpublic Information are exempt from certain enumerated requirements. Covered Entities that qualify for an exemption must file a Notice of Exemption on the specified form.
Covered Entities will have at minimum 180 days from the effective date to comply with the requirements. Certain requirements have longer compliance periods.
If you have questions, contact Thomas Gibbs in Jacksonville.