New York's new regulatory cyber-security obligations: the details
Ian DiBernardo, Stroock & Stroock & Lavan, Partner, New York, 6 September 2018
The eighteen-month transitional period for the New York Department of Financial Services’ Cybersecurity Regulations for Financial Services Companies (23 NYCRR Part 500) has just ended, while another deadline - also to do with cyber-security - looms for the regulator's Registration Requirements & Prohibited Practices For Credit Reporting Agencies (23 NYCRR Part 201).
The year-and-a-half-long transitional period in respect of the Cybersecurity Regulations expired earlier this week. These regulations officially went into effect on 1 March 2017, with phased implementation dates. Some of the earlier deadlines for implementation required every 'covered entity,' which in this case is “any person operating under...license, registration, charter, certificate, permit, accreditation or similar auhorisation under the Banking Law, the Insurance Law or the Financial Services Law,” to register with the NYDFS by 5 February this year.
Covered entities must now comply with the following provisions (in addition to those already required).
• Section 500.06 Audit Trail. Each of them must implement and maintain an audit trail designed to: (i) reconstruct material financial transactions to support normal operations; and (ii) detect and respond to cyber-security events.
• Section 500.08 Application Security. Each must evolve written procedures to: (i) ensure the use of secure development practices for in-house developed applications; and (ii) evaluate the security of externally developed applications.
• Section 500.13 Limitations on Data Retention. Each must adopt a data retention policy which, among other things, disposes of non-public information safely.
• Section 500.14 Training and Monitoring. Each must come up with policies and procedures to monitor authorised users for unauthorised access to, or use of, or tampering with, non-public information (the requirement for cybersecurity awareness training for employees having been previously required).
• Section 500.15 Encryption of Non-public Information. Each must put in place controls, including encryption, to protect non-public information at rest and in transit. Notably, the final phase of implementation requires compliance with section 500.11 Third Party Service Provider Security Policy by 1 March 2019. In general, covered entities must implement written policies and procedures to make information systems and non-public information that is “accessible to, or held by, third-party service providers” safe. The policies must include “guidelines for due diligence and/or contractual protections relating to third-party service providers,” including whether certain of the provisions applicable to covered entities, such as encryption, should flow through to third party service providers.
The Credit Reporting Agency Requirements
These rules require every consumer credit reporting agency that, within the previous 12-month period, has assembled, evaluated, or maintained a consumer credit report on one thousand or more New York consumers, to register with the NYDFS by 15 September. On a potentially more onerous note, they are also obliged to comply with the Cybersecurity Regulations of Part 500 that apply to financial service companies. Their observance of these requirements is to be phased in, with an initial compliance deadline of 1 November. As of that date, agencies will have to comply with the following.
• Section 500.02 Cyber security programme. Maintain a cybersecurity programme designed to protect the confidentiality, integrity and availability of the covered entity’s information system, including the detection of, response to and recovery from a cybersecurity event;
• Section 500.03 Cybersecurity Policy. Implement and maintain a written policy, approved by a senior officer or the board of directors, for the protection of its information systems and non-public information, addressing at least 14 separate topics;
• Section 500.07 Access Privileges. Implement and periodically review user access privileges;
• Section 500.10 Cybersecurity Personnel and Intelligence. Use and train qualified cybersecurity personnel;
• Section 500.16 Incident Response Plan. As part of the cybersecurity programme, establish a written incident response plan, which must address certain enumerated aspects;
• Section 500.17 Notices to Superintendent. Everyone must notify the superintendent as promptly as possible but on no account later than 72 hours from a determination that a cybersecurity event has occurred.
The remaining provisions are to be phased in on 28 February 2019, 31 August 2019 and 31 December 2019.
* Ian DiBernardo can be reached on 212 806 5867 or at idibernardo@stroock.com; Jeffrey Mann can be reached on 212 806 5763 or at jmann@stroock.com