On August 28, 2017, the deadline for compliance with numerous provisions of the New York State Department of Financial Services (“DFS”) Cybersecurity Regulations (23 NYCRR 500.01) will arrive. As we previously wrote about here and here, the Regulations require insurance companies, banks and other institutions regulated by DFS to establish and maintain a cybersecurity program designed to protect consumers and ensure the safety and soundness of New York State’s financial services industry. The August 28, 2017 deadline includes provisions relating to Covered Entities’: Cybersecurity Program (Section 500.02); Cybersecurity Policy (Section 500.03); CISO (Section 500.004); Access Privileges (Section 500.07); Cybersecurity Personnel and Intelligence (Section 500.10); Incident Response Plan (Section 500.16); Notices to Superintendent of Cybersecurity Event (Section 500.17); and Filing for Limited Exemption (Section 500.19(d).
Since the Regulations became effective on March, 1, 2017, there has been some confusion among Covered Entities concerning various compliance issues. In an effort to alleviate that confusion, the DFS has been providing answers to Frequently Asked Questions (FAQ) on its website. The FAQ currently number 18, and were last updated on June 29, 2017. All Covered Entities are encouraged to read through the FAQ, and regularly monitor the DFS’s website for updates. Below are a few important highlights from the FAQ.
- The DFS cleared up what is probably the most confusing part of the Regulations: what to do when interrelated requirements are subject to different transitional periods (compliance dates). For example, Covered Entities are required to have a Cybersecurity Program in place by August 28, 2017. However, the Regulations further require that the Cybersecurity Program be based on a Covered Entity’s Risk Assessment, which the Regulations don’t require to be completed until March 1, 2018. Clearly, those two compliance dates are inconsistent. In attempting to clear up the confusion, DFS notes that Covered Entities are “generally not required to comply with, or incorporate into their cybersecurity programs, provisions of the regulation for which the applicable transitional period has not yet ended.” Thus, while Covered Entities will be required to have a cybersecurity program as well as policies and procedures in place by August 28, 2017, DFS notes “that in some cases there may be updates and revisions thereafter that incorporate the results of a Risk Assessment later conducted, or other elements of Part 500 that are subject to longer transitional periods.” Putting aside the debate as to whether or not DFS should have required the Risk Assessment to be completed prior to the implementation of a Cybersecurity Policy, this FAQ should offer some semblance of relief to those Covered Entities that were concerned about the apparent inconsistency.
- DFS also clarified what constitutes “continuous monitoring” for the purposes of Section 500.05 of the Regulations, noting that there is no specific technology that is required to be used in order to have an effective continuous monitoring program: “Effective continuous monitoring,” according to the DFS, “generally has the ability to continuously, on an ongoing basis, detect changes or activities within a Covered Entity’s Information Systems that may create or indicate the existence of cybersecurity vulnerabilities or malicious activity.” In addition, DFS specifically pointed out that periodic manual review of logs and firewall configurations will NOT be considered to constitute effective continuous monitoring for purposes of the Regulations. Thus, while the type of continuous monitoring used is left to the discretion of Covered Entities, the program must be continuous: periodic reviews, even if performed on a consistent and ongoing basis, won’t satisfy Section 500.05.
- The DFS confirmed in the FAQ that that Regulations must be read in combination with other laws and regulations that apply to consumer privacy. In particular, pursuant to Section 500.17(a)(1) of the Regulations, a Covered Entity must give notice to DFS of any Cybersecurity Event “of which notice is required to be provided to any government body, self-regulatory agency or any other supervisory body,” which includes many Cybersecurity Events that involve consumer harm, whether actual or potential. Thus, the FAQ note that to the extent a Cybersecurity Event involves material consumer harm, it is covered by the Regulations. In addition, pursuant to Section 500.17(a)(2), Cybersecurity Events must be reported to DFS if they “have a reasonable likelihood of materially harming any material part of the normal operation(s) of the Covered Entity.” Thus, according to DFS, “a Covered Entity’s cybersecurity program and policies will need to address notice to consumers in order to be consistent with the risk-based requirements of the Regulations.”
- In one of the newer additions to the FAQ, DFS clarified that New York branches of out-of-state domestic banks (state-chartered banks) are NOT required to comply with the Regulations. The DFS explains that that New York is a signatory to the Nationwide Cooperative Agreement, an agreement among state banking regulators that addresses supervision in an interstate branching environment. Pursuant to the Agreement, the home state of a state-chartered bank with a branch or branches in New York is primarily responsible for supervising such state-chartered bank, including its New York branches. Thus, DFS is deferring to the “home state supervisor for supervision and examination of the New York branches, with the understanding that DFS is available to coordinate and work with the home state in such supervision and examination.” DFS also notes that New York branches are required to comply with New York state law, that DFS maintains the right to examine branches located in New York, and that all financial institutions, including New York branches of out-of-state domestic banks, are encouraged to adopt cybersecurity protections consistent with the safeguards and protections of the Regulations.
- The FAQ also address whether or not Third Party Service Providers are required to implement Multi-Factor Authentication and encryption when dealing with a Covered Entity. In particular, Section 500.11, generally requires a Covered Entity to develop and implement written policies and procedures designed to ensure the security of the Covered Entity’s Information Systems and Nonpublic Information that are accessible to, or held by, Third Party Service Providers. Clarifying that section (and demonstrating flexibility in the Regulations), DFS notes that the Regulations require Covered Entities to make a risk assessment regarding the appropriate controls for Third Party Service Providers based on the individual facts and circumstances presented and does not create a one-size-fits-all solution. However, notwithstanding that flexibility, Multi-Factor Authentication and encryption still remain some of the best methods to ensure the security of information, and to the extent feasible, Covered Entities should attempt to implement those protections when dealing with Third Party Service Providers.
- In terms of certification of compliance, the DFS makes clear in the FAQ that it “expects full compliance with this regulation.” Simply stated, a Covered Entity may not submit a certification under Section 500.17(b) unless the “Covered Entity is in compliance with ALL applicable requirements of Part 500 at the time of certification.” Thus, if a Covered Entity finds itself in partial compliance with the Regulations (assuming the transitional periods have passed), it should not submit a certification indicating partial compliance; it should ensure full compliance prior to certification.
DFS will continue to revise or update the FAQ from time to time, as appropriate, and we will continue to provide important updates.