The New York State Department of Financial Services (“DFS”) recently issued updated proposed cyber-security regulations (the “Regulations”) which will be finalized following a 30-day notice and public comment period. The proposed Regulations – the first of their kind in the nation, will be effective March 1, 2017 and will require insurance companies, banks, and other institutions regulated by DFS to establish and maintain a cybersecurity program designed to protect consumers and ensure the safety and soundness of New York State’s financial services industry. The updated Regulations replace an earlier version issued late last year that many regulated entities complained placed an undue burden on smaller institutions. The DFS attempted to address those concerns by promulgating regulations designed to allow each regulated entity the ability to craft a cybersecurity program based upon its own individual risk assessment, as opposed to a set of one-size-fits all requirements.
In order to be compliant with the revised Regulations, the DFS is requiring a covered entity’s cybersecurity program to addresses six core cybersecurity functions: to 1) identify and assess internal and external cybersecurity risks; 2) use defensive infrastructure and the implementation of policies and procedures to protect the covered entity’s information systems from unauthorized access, use or other malicious acts; 3) detect cybersecurity events; 4) respond to identified or detected cybersecurity events to mitigate any negative effects; 5) recover from cybersecurity events and restore normal operations and services; and 6) fulfill applicable regulatory reporting obligations. These six areas are among those commonly viewed as integral to any cybersecurity program, and sharp parallels can been drawn between the DFS’ Regulation and the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework. The NIST Framework was published by the United States Department of Commerce in 2014, and was designed to offer private organizations guidance on how to prevent, detect and respond to cybersecurity events by addressing 5 core categories, (Identify, Protect, Detect, Respond and Recover), which are similar to those core functions set forth by the DFS.
Among the core requirements of the DFS’ Regulation, each covered entity is required (based on its risk assessment) to implement and maintain written policies and procedures for the protection of its information systems and nonpublic information stored on those information systems. The policies must address, to the extent applicable, a number of key ares, including:
- Information security;
- data governance and classification;
- asset inventory and device management;
- access controls and identity management;
- business continuity and disaster recovery planning and resources;
- systems operations and availability concerns;
- systems and network security;
- systems and network monitoring;
- systems and application development and quality assurance;
- physical security and environmental controls;
- customer data privacy;
- vendor and Third Party Service Provider management;
- risk assessment; and
- incident response.
With respect to the ever-important component of incident response, the DFS is requiring each covered entity to establish a written incident response plan designed to enable the entity to promptly respond to, and recover from, any cybersecurity event materially affecting the confidentiality, integrity or availability of the covered entity’s information systems or the continuing functionality of any aspect of the covered entity’s business or operations. The incident response plan must address the following areas: 1) the internal processes for responding to a cybersecurity event; 2) the goals of the incident response plan; 3) the definition of clear roles, responsibilities and levels of decision-making authority; 4) external and internal communications and information sharing; 5) identification of requirements for the remediation of any identified weaknesses in information systems and associated controls; 6) documentation and reporting regarding cybersecurity events and related incident response activities; and 7) the evaluation and revision as necessary of the incident response plan following a cybersecurity event.
Within the confines of the Regulations summarized above, there are a number other important requirements which a covered entity must adhere to. All organizations covered by the Regulations are encouraged to review them carefully and craft policies and procedures to ensure compliance. Depending on the particular requirement within the Regulations, the DFS is allowing covered entities anywhere from 6 to 24 months to become compliant, although the time to begin the process of planning to become compliant is now.