<div dir="ltr"><p><a href="http://www.thelegalintelligencer.com/id=1202780756910/NYs-Cybersecurity-Rules-for-Banks-Insurers-Financial-Services?slreturn=20170208152507">http://www.thelegalintelligencer.com/id=1202780756910/NYs-Cybersecurity-Rules-for-Banks-Insurers-Financial-Services?slreturn=20170208152507</a><br></p><p>The New York Department of Financial Services' new cybersecurity
rules applicable to banks, insurance companies and other financial
services companies, 23 NYCRR 500, went into effect on March 1. While
most states have some form of data breach notification standards, and
some states have security standards generally applicable to personal
data, these are the first state-mandated cybersecurity regulations
applicable to specific industries. The federal government has had
industry specific requirements in place for some time, most notably in
health care under HIPAA and HITECH, and for banks and other financial
services companies under Gramm-Leach-Bliley. The N.Y. cyber rules while
similar in many respects to existing federal regulations are more
specific in certain key aspects and include mandates for companies to
have a chief information security officer (CISO) and for top level
executives to review and certify compliance with the new rules on an
annual basis. These requirements have already fueled speculation that
one of the biggest impacts of the rules will be heightened litigation
in the wake of a cyberincident based on the certifications of executives
regarding a company's cybersecurity practices.</p><p>The rules apply
to "covered entities," which are defined to include any person operating
under or required to operate under a license, registration, charter or
similar authorization under New York's Banking, Insurance or Financial
Services Laws. (As used herein terms are specifically defined in section
500.01.) The N.Y. cyber rules impose a number of requirements on
covered entities including: maintaining a cybersecurity program
(500.02); maintenance of a written policy or policies detailing the
steps to be taken to protect information systems (500.03); designation
of a CISO who is to provide at least annual reports to the board of
directors or equivalent governing body (500.04); to conduct periodic
penetration testing and vulnerability assessments (500.05); the ability
to reconstruct material financial transactions and maintenance of audit
trails designed to detect and respond to cybersecurity events (500.06);
limitation of access to nonpublic information (500.07); specific
guidelines for the creation of in-house developed applications and
evaluation of externally created applications (500.08); conduct periodic
risk assessments sufficient to enable the creation of a cybersecurity
program required under the NY Cyber Rules (500.09); utilize qualified
cybersecurity personnel to perform or oversee the performance of core
cybersecurity functions (500.10); implement written policies and
procedures for interaction with third party service providers (500.11);
utilization of multi-factor and risk based authentication (500.12);
limitations on data retention (500.13); monitoring activity by
authorized users to develop risk-based controls to prevent unauthorized
use or access by such users and regular cybersecurity awareness
training for all personnel that is updated to reflect risks identified
in the risk assessment (500.14); encryption of nonpublic information in
transit over external networks and at rest (500.15); establish written
incident response plan (500.16); and, notice to the superintendent
within 72 hours of determining that a cybersecurity event occurred and
annual certification of compliance to the superintendent (500.17).
Other key aspects of the rules include the ability of affiliates to
utilize a single cybersecurity program. There are also certain
exceptions including for covered entities with less than 10 employees
including independent contractors, less than $5 million in gross annual
revenue for each of the last three years, or less than $10 million in
year-end total assets from the requirements of Sections 500.04, 500.05,
500.06, 500.08, 500.10, 500.12, 500.14, 500.15, and 500.16. Also,
employees, agents, representatives or designees of a covered entity that
are covered entities themselves are exempt to the extent they are
covered by the covered entity's cybersecurity program. Exempted covered
entities must file a notice of exemption annually, and have 180 days
from the end of its fiscal year in which it no longer qualifies for
exemption to comply with the requirements.</p><p>The N.Y. cyber rules,
like most regulations, are in the nature of a mandatory risk-management
approach to cybersecurity. A risk-management approach is the generally
accepted "best practice" method for cybersecurity. Essentially what
types of data and information do you have, how is that data and
information accessed, used and stored, what are the attendant
vulnerabilities or risks associated with that data, and what protections
or safeguards are available. Many of the requirements have been
modified from the original proposed rules published in September 2016.
The changes were in response to comments on the proposed rules and are
generally along the lines of making the N.Y. cyber rules more fluid and
flexible in terms of how they are implemented by any particular covered
entity, and thus more in the nature of a true risk-management approach.
For example, Section 500.02 regarding the cybersecurity program was
revised to state that the program shall be based on the covered entity's
risk assessment and address enumerated items rather than simply saying
it will address the enumerated items. Another example is that the
frequency of certain events was lessened. Penetration testing and
vulnerability assessments need only be periodic if continuous monitoring
is in place, otherwise penetration testing needs to occur at least
annually and vulnerability assessments need to occur at least
biannually. Originally penetration testing was required at least
annually and vulnerability assessments were required quarterly. The risk
assessment was also changed from annual to periodic.</p><p>The other
major change made from the proposed regulations is that the requirements
of the N.Y. cyber rules are now to be phased in affording Covered
Entities more time to come into full compliance. The first round of
compliance is to be within 180 days (Aug. 28), except as otherwise
provided for by longer compliance periods; compliance with Sections
500.04(b), 500.05, 500.09, 500.12 and 500.14(a)(2) within one year
(March 1, 2018); compliance with Sections 500.06, 500.08, 500.13,
500.14(a)(1), and 500.15 within 18 months (Sept. 1, 2018); and,
compliance with Section 500.11 within two years (March 1, 2019). The
first compliance certification is due Feb. 15, 2018.</p><p>As
a practical matter, compliance with many of these items should not be
that difficult for entities that are already committed to robust
cybersecurity measures and are in compliance with existing federal
regulations. Many of the requirements are similar in nature to existing
requirements for banks, insurers and financial institutions under
existing federal law and are consistent with what is generally regarded
as best practices with respect to cybersecurity. For example,
regulations promulgated under Gramm-Leach-Bliley already require board
involvement with cybersecurity, risk assessments and cybersecurity
programs. See, 12 C.F.R. Part 30 Appendix B (national banks) and Part
208 Appendix D-2 (state member banks). Likewise, best practices for
cybersecurity involve employee training and awareness programs, regular
monitoring of activity, and penetration and other vulnerability testing
in order to identify suspicious activity and to identify weaknesses in
the existing security protocol. With that said, compliance with the N.Y.
cyber rules will likely cause added burden for most companies, in
particular small and medium sized ones, because certain elements are
mandatory and are not solely left to a risk benefit analysis. The risk
assessment is the key component of the program as it drives what is
required to comply with other sections and is mandatory for all covered
entities even if exempt from certain of the other requirements. Again,
for most companies committed to cybersecurity this will not be a major
shift as this is a fundamental component of developing and maintaining a
cybersecurity program. The real impact figures to be in the fact that
periodic risk assessments are now mandatory, that a CISO must be
appointed (even if a third-party is utilized for this role), and the
reporting requirements. The reporting requirements include both annual
reports from the CISO to the board of directors on enumerated topics as
well as annual certifications by the board of directors or senior
officers of compliance with the N.Y. cyber rules. As noted above, these
requirements open the door for litigation against the board members or
senior officers signing the compliance certification in the event of a
data breach or other cyber event for fraud and similar claims along the
lines of security fraud claims based on statements in required filings.</p>While
no one can doubt the importance of strong and proactive cybersecurity,
it remains to be seen if this is something that can be effectively
addressed through regulation. The N.Y. cyber rules are certainly an
ambitious attempt at providing a framework for comprehensive industry
wide standards. There is already speculation that they will serve as the
model for similar regulations in other states. Yet the question remains
whether this will serve to truly increase cybersecurity, something that
is much more art than science and is neither perfect nor one size fits
all, or merely add another layer of regulatory burden and increased
potential liability for the impacted industries. <em> </em></div>