Cybersecurity Requirements in New York: Determining Compliance

August 25, 2017 by

The New York Department of Financial Services (DFS) has issued cybersecurity requirements for financial services companies. Codified at 23 NYCRR §500, the law became effective on March 1, 2017, and requires insurance and insurance-related companies as well as brokers, agents and adjusters licensed in New York to assess their specific cyber risk profiles and design cybersecurity programs that address such risk in a “robust fashion.” The deadline to do so is fast approaching – August 28, 2017.

“Covered Entities” that have yet to comply should consider contacting an attorney to confirm if they must do so. They could learn that an exemption from the cybersecurity requirements – at least a limited one – applies.

Indeed, if a firm does not hold a license, certificate or registration from DFS, for example, it may not be subject to the cybersecurity requirements. Additionally, an employee, agent or representative of a business holding a license, certificate or registration from DFS, may be exempt.

Further, a captive insurance company that does not control, own, generate, receive or possess non-public information – other than information relating to its corporate parent or affiliates – may also qualify for a limited exemption. Such a company has to nevertheless satisfy some of the cybersecurity requirements that are listed below, including promulgating policies for risk assessment, a cybersecurity personnel and training program, third-party service provider security and the encryption of nonpublic information. A Notice of Exemption must also be filed with the DFS superintendent.

Additionally, if a firm (and its affiliates) has fewer than 10 employees, including independent contractors, located in New York or “responsible for business of the ‘Covered Entity,'” less than $5 million in gross annual revenue in each of the last three fiscal years from New York business operations, or less than $10 million in year-end total assets, it too may be eligible for a limited exemption. However, that entity must file a Notice of Exemption with the DFS superintendent by the applicable deadline, and it would still need to satisfy the cybersecurity requirements referenced above (e.g., a comprehensive cybersecurity policy addressing fourteen subjects identified in the regulations, restrict access privileges, perform a risk assessment, restrict and monitor third-party service providers and impose limitations on data retention). In addition, an annual certification of compliance has to be filed with the DFS superintendent and cybersecurity events must be reported.

In terms of non-public information, it is important to ask three questions:

  • Would the unauthorized disclosure of the non-public information in your possession result in a material adverse impact to the profitability, operations or security of your business?
  • Does the non-public information in your possession consist of an individual’s name, number or other unique identifier combined with their social security number; driver’s license number or non-driver identification card number; account number, credit or debit card number; security code, access code, or password used to access an individual’s financial account; or biometric records?
  • Does the non-public information in your possession consist of information (except age or gender) created by or obtained from a health care provider or identifiable individual and relates to the past, present or future physical, mental or behavioral health or condition of the individual or member of the individual’s family; health care provided to the individual; or payment for health care provided to the individual?

If the answer to any one of these three queries is “yes,” then you may be in possession of non-public information and therefore subject to regulation as a “Covered Entity.” This is assuming you also operate, maintain, utilize or control any electronic system for the collection, processing, sharing or storage of electronic information, including but not limited to a personal computer. As a “Covered Entity” without an applicable exemption, you would be required to comply with all aspects of the DFS cybersecurity regulations.

However, if you do not possess non-public information and do not operate, maintain, utilize or control any electronic system for the collection, processing, sharing or storage of electronic information, you may qualify for a limited exemption, so long as a Notice of Exemption is timely filed with the DFS superintendent.

The requirements for compliance, some of which have been referenced above, are as follows:

  • Cybersecurity program – collection of policies based on risk assessment.
  • Cybersecurity policy – policy for protection of Information Systems and non-public information, addressing (to the extent applicable): information security, data governance and classification, asset inventory and device management, access controls and identity management, business continuity and disaster recovery planning and resources, systems operations and availability concerns, systems and network security, systems and network monitoring, systems and application development and quality assurance, physical security and environmental controls, customer data privacy, vendor and third-party service provider management, risk assessment, and incident response.
  • Chief information security officer (CISO) – policy to identify officer to oversee and implement cybersecurity program and periodically report to key stakeholders.
  • Penetration testing program – policy for annual penetration testing and bi-annual vulnerability testing.
  • Audit trail – policy that describes systems to reconstruct financial transactions and detect cybersecurity events.
  • Access privileges – policy limiting user privileges to information systems and non-public information.
  • Application security – policy for secure development for in-house applications.
  • Risk assessment – policy for identification of key assets, identification of potential threats, and development of mitigation strategies.
  • Cybersecurity personnel and training program – policy for hiring and training of qualified cybersecurity personnel.
  • Third-party service provider security policy – policy for securing access to information systems and non-public information by authorized third parties/vendors.
  • Multi-factor authentication – policy for multi-factor authentication.
  • Limitations on data retention – policy for periodic disposal of non-public information.
  • Training and monitoring – policy for cybersecurity awareness training of employees.
  • Encryption of non-public information – policy to protect non-public information in transit and at rest.
  • Incident response plan – policy for identification, reporting, and mitigation of potential cybersecurity events.
  • Notice to Superintendent – requirement for annual certification of compliance to superintendent and reporting of cybersecurity events.

Related: