[BreachExchange] New York's New Cybersecurity Rules: What Is Required?

Audrey McNeil audrey at riskbasedsecurity.com
Tue Oct 18 19:21:40 EDT 2016


http://www.jdsupra.com/legalnews/new-york-s-new-cybersecurity-rules-what-
71899/

The new cybersecurity rules proposed by the New York State Department of
Financial Services require financial services institutions to have
extensive cybersecurity protections in place; including cybersecurity
programs, policies, personnel, risk assessments, trainings, and breach
reporting within 72-hours.

As we recently reported, the New York State Department of Financial
Services (DFS) issued a set of proposed cybersecurity rules for New York
financial services companies (Rules), in response to the many high profile
cybersecurity breaches and hacks over the past few years. The Rules set
minimum standards for financial services companies in an effort to keep
their sensitive financial data and systems, and their customers' personal
information, safe from breach and from cybercriminals. While many financial
institutions already have robust cybersecurity programs which may be
similar to the minimum standards set by the Rules, the Rules will also
require each institution to jump through at least a few additional hoops,
such as conducting audits, regularly certifying their compliance, and
appointing a Chief Information Security Officer.

Who is covered under the Rules?

The Rules apply to almost all individuals, partnerships, and corporations
operating in the banking, insurance and other financial services industries
within New York and regulated by the DFS. They require all entities that
are operating under a license, registration, charter, certificate, permit,
accreditation or similar authorization under New York banking, insurance,
or financial services laws to meet the minimum standards set forth. See §
500.01(c). This includes state-chartered commercial banks and
state-licensed branches and agencies of foreign banks.

However, the Rules include limited exemptions for smaller entities.
Entities with fewer than 1,000 customers, less than $5M in gross annual
revenue, and less than $10M in total assets (including affiliates) are
exempt from the requirements involving the maintenance of specific
cybersecurity personnel and conducting trainings, audits, and vulnerability
tests. See § 500.18(a).

What do the Rules require?

The Rules can be found here, along with a helpful overview, which can be
found here. They require the following of financial services companies:

Program: Establishment and maintenance of a cybersecurity program. See §
500.02. As well as certain measures described in more detail below, the
program must include:

An infrastructure to protect the company's sensitive information systems
and private information from unauthorized access, use, and malicious
attacks;
A mechanism for detecting unauthorized access, or attempted breaches, of
the information systems, terminating the detected breaches, and recovering
from breaches; and
An adherence to all regulatory reporting obligations.

Policy: Maintenance of a written cybersecurity policy.  See § 500.03(a). he
policy must be reviewed annually by the board of directors and approved by
a senior officer responsible for compliance or information services
security.  See § 500.03(b).  The cybersecurity policy must address:

Security measures currently in place to protect the information systems and
customer data privacy;
Procedures to maintain, monitor, and update the information systems and
networks, including management of third-party service providers;
Assessments of the information systems' security risks and operations
concerns; and
Procedures to respond and recover from security breaches.

Encryption: Encryption of all nonpublic information in transit and at rest
unless infeasible. See § 500.15.

Multi-Factor Authentication: Employment of multi-factor and risk-based
authentication for logging into information systems. See § 500.12.

Application Security: Adoption of procedures (with annual reviews) for
secure development practices for all in-house developed application and
assessment and security testing of all externally developed applications.
See § 500.08.

Third Party Information Security: Implementation of written policies and
procedures regarding the security of the company's information systems and
nonpublic information that are accessible by third parties doing business
with the company. See § 500.11.

Data Retention Limitations: Implementation of policies and procedures for
the timely destruction of any nonpublic information. See § 500.13.

Testing and Risk Assessment: Testing of the company's cybersecurity program
and assessment of risks to the company's information systems. See §§
500.05; 500.09. The testing must include a quarterly vulnerability
assessment in addition to an annual penetration test. A formal risk
assessment report, evaluating and categorizing the identified risks, must
also be drafted annually.

Personnel: Retention of cybersecurity personnel. See §§ 500.04; 500.10.
Specifically:

Appointment of a Chief Information Security Officer, who is responsible for:

implementing the cybersecurity program and enforcing the cybersecurity
policy, and

drafting a biannual report detailing the integrity of the information
systems and cybersecurity program and summarizing any security breaches and
attempts that occurred; and

Employment of a cybersecurity team to manage the cybersecurity program and
run the day-to-day cybersecurity functions.

Training: Implementation of and attendance by cybersecurity personnel at
cybersecurity trainings. See §§ 500.10(2); 500.14. The cybersecurity team
must attend regular cybersecurity trainings to keep updated on
ever-changing cybersecurity threats and countermeasures. Additionally, all
employees must attend cybersecurity awareness training sessions.
Access Privileges: Limitation and periodic review of access privileges to
the company's information systems solely to those individuals who need
access as part of their roles. See § 500.07.
Audit Trail: Maintenance of an audit trail system to track and log all
financial transactions. See § 500.06.
Incident Response Plan: Establishment of a written incident response plan
designed to promptly respond to and recover from a cybersecurity breach.
See § 500.16.
Reporting and Certification: Reporting serious cybersecurity breaches to
the Superintendent of Financial Services within 72 hours. See § 500.17.
Additionally, each financial services company must annually certify that it
is in compliance with the new regulations. See § 500.17. A model
certification of compliance is attached as Appendix A of the Rules.

When will the Rules become effective?

The Rules are set to be published in the New York State register on
September 28, 2016, after which they will enter a 45-day notice and public
comment period prior to final issuance. See Press Release. The Rules become
effective as of January 1, 2017. See § 500.20. However, financial
institutions covered by the Rules will have 180 days to comply with the new
requirements. See § 500.21.

Conclusion

The Rules are publicized as the first of their kind in the country and
initial reactions to them have varied. Some believe they will have a
minimal impact on large financial services institutions which already
invest heavily in sophisticated cybersecurity programs but will be most
harshly felt by smaller companies, which could have to pay upwards of
millions of dollars to update their cybersecurity programs to meet the
minimum requirements. Others see the Rules as a welcome effort to increase
the overall level of cybersecurity in critical industries that face
ever-increasing risks of cybercrime and cyberterrorism. The overall
effectiveness of the Rules can only be speculated at this point. However,
what is likely is that other states and even the federal government may
adopt similar regulations in the near future.

As for implementing the Rules, the Federal Financial Institutions
Examination Council ("FFIEC") has issued extensive material on
cybersecurity awareness but has not put that guidance into the form of a
regulation.  A covered institution might want to refer to this FFIEC
guidance in implementing the Rules.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20161018/907d8aef/attachment.html>


More information about the BreachExchange mailing list