In September 2016, the New York Department of Financial Services (DFS) proposed a new Cybersecurity Regulation that would impose strict cybersecurity requirements on banks, consumer lenders, money transmitters, insurance companies and certain other financial service providers (each, a “Covered Entity”). DFS received varied, but primarily negative feedback on the proposed Regulation, as any commentators condemned the proposed Regulation as being too prescriptive and burdensome on Covered Entities. A common theme of the commentary was that the proposed Regulation did not allow Covered Entities to properly assess risk and build cybersecurity programs designed to meet those risks.
DFS subsequently revised the proposed Regulation and clearly took the comments to heart. The new proposed Regulation has greatly reduced the burden on Covered Entities and completely changed the regulatory compliance requirements. Demonstrating compliance with the Regulation is now based on walking a fine line between development of the Risk Assessment Policy and using the resulting Risk Assessment to modify or develop the Cybersecurity Program, the Cybersecurity Policy and associated procedures. In light of these revisions there are a number of questions that we have been asked by multiple companies.
Is my company covered by the Regulation?
Covered Entities are defined as: “any [p]erson operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the [New York] banking law, the insurance law or the financial services law.” How this will be applied to companies who have the majority of their operations and a primary regulator in another state has not been explained. However, unless the systems and data for operations in New York are segregated, the requirements of the Regulation will apply.
How will DFS enforce this? Didn’t they bite off more than they can chew?
For the most part, the Regulation is self-enforcing. Each Covered Entity must perform a Risk Assessment and design a Cybersecurity Program and Cybersecurity Policies and procedures based on the findings from the Risk Assessment. Additionally, the Regulation requires companies to provide a Certification of Compliance signed personally by the Chair of the Board or a number of members of the C-Suite. This could have significant implications for company and personal risk, as DFS retains all of its regulatory authority if any portion of the Certification is found to be untrue. Presumably, there would even be potential liability for perjury for certain misstatements or omissions. Additionally, all of the materials used to develop the Cybersecurity Program and the Cybersecurity Policies must be available to DFS. Covered Entities are required to notify DFS of certain Cybersecurity Events (discussed below), and it is anticipated that enforcement of the Regulation will initially focus on Covered Entities who make reports.
How is the Regulation different from other laws and regulations that already apply to some entities (i.e., GLBA or HIPAA)?
As stated in the releases for both the original and revised proposed Regulation, the Regulation is intended to go beyond the requirements of The Gramm-Leach-Bliley Act (GLBA) and Health Insurance Portability and Accountability Act (HIPAA). One major difference is that GLBA and HIPAA apply specifically to protection of personally identifiable information, whereas the Regulation applies to any information that affects the confidentiality, integrity and availability of Covered Entities’ information systems and applicable information. In this way, the Certification of Compliance is similar to the Sarbanes-Oxley Act financial reporting requirement, which has never been used broadly with cybersecurity previously. Furthermore, requiring the Cybersecurity Program and the Cybersecurity Policies and procedures to be based on the Risk Assessment is a dramatic departure from the way risk assessments are traditionally done under other statutory regimes.
How does the 72-hour Cybersecurity Event notification work? Doesn’t this mean that Covered Entities will be required, or incentivized, to report every attempted intrusion to DFS?
DFS received many comments on this. There was concern that companies would be required to notify DFS of too many events, and that significant Cybersecurity Events would be lost in the noise. The notification requirement is now for Cybersecurity Events that have a “reasonable likelihood of materially harming any material part of the normal operation(s) of the Covered Entity.” Additionally, DFS must be notified of Cybersecurity Events which require notice to other government, regulatory bodies or self-regulatory agencies. This seems to strike a balance; however, public companies should take considerable care when choosing to report a Cybersecurity Event. Reporting a Cybersecurity Event is not something DFS will take lightly and over-reporting could have unintended consequences. While public companies may want to report minor incidents out of an abundance of caution, this could be detrimental to the company in the long run. Additionally, Covered Entities must take care to connect the notification of Cybersecurity Events to other regulatory obligations, particularly Securities and Exchange Commission reporting. The lawyers managing these matters are often not in the same group and may not be aware of issues or transactions taking place outside of their purview.
How are Covered Entities required to manage third-party vendors?
The Regulation requires that the Third-Party Service Provider Policy be based on the Risk Assessment. DFS removed the recommended specific contract terms and stringent assessment requirements from the original proposed Regulation. However, the Regulation retained the requirement that Covered Entities establish minimum cybersecurity practices for the Third-Party Service Providers they work with. While most financial services companies have vendor management programs and cybersecurity requirements for vendors, they do not have them enshrined as minimum requirements in a policy. Most companies regularly choose to utilize vendors who do not meet certain aspects of their internal requirements based on a balance of risk and business need. By designating the requirements as “minimum” cybersecurity practices, the process for waiving minimum requirements is higher and necessitates a clearly defined process. The Risk Assessment findings must be used as the basis for determining the minimum cybersecurity practices.
Overall, the Regulation pushes Covered Entities to develop a different compliance process than other regulations. Most sophisticated Covered Entities will find that they have many of the pieces that are required, but may need to rearrange them, possibly with clearer decision-making processes. This will allow senior officers to feel comfortable that they are not at personal risk when signing the Certificate of Compliance.
Richard M. Borden, Counsel at Robinson & Cole, is the co-author of this blog post.