New York’s DFS Narrows Proposed Cybersecurity Regulations
On September 13, 2016, the New York State Department of Financial Services (“NYDFS”) issued proposed cybersecurity regulations (“Original Proposed Regulations”) that would impose new, stringent cybersecurity requirements on banks, money transmitters, insurance companies, and other financial service providers regulated by the NYDFS (collectively, “Regulated Institutions”).
During the 45-day notice and public comment period, NYDFS received over 150 comments from Regulated Institutions, trade associations, individuals and third party service providers, including cybersecurity service providers. On December 28, 2016, the NYDFS published revised proposed regulations (“Revised Proposed Regulations”) to address the comments received. Below is a table summarizing the most salient changes to the Original Proposed Regulations. Please note that the information in the table is not a comprehensive summary of the proposed regulations. Download a printable PDF of the proposed cybersecurity regulations chart.
Original Proposed Regulation
Revised Proposed Regulation
Chief Information Security Officer
Appointment of an exclusive CISO with only information security duties; bi-annual written reports to the Regulated Institution’s governing body
Appointment of a non‑exclusive CISO who may perform other functions; annual written reports to the Regulated Institution’s governing body
Data Retention and Destruction
Destroy nonpublic information no longer necessary to provide products and services
May maintain nonpublic information if necessary for business operations or other legitimate purposes
Penetration Testing and Vulnerability Assessments
Annual penetration testing and quarterly vulnerability assessments
Continuous monitoring or periodic penetration testing and vulnerability assessments; absent effective continuous monitoring, the Regulated Institution must conduct annual penetration and bi-annual vulnerability assessments
Limited to individuals who require access to perform their responsibilities
Limited to individuals based on the Regulated Institution’s risk assessment
Multifactor authentication and risk-based authentication for specified circumstances
Regulated Institutions select appropriate controls, which may include multifactor or risk-based authentication, based on its risk assessment
Compensating controls for a limited transition period: one year for encryption of data in transit and five years for encryption of data at rest
Compensating controls may be used indefinitely for nonpublic information in transit and at rest, as approved by the CISO who annually reviews feasibility and effectiveness
Maintenance of audit trail systems based on prescriptive requirements; maintain records for six years
Maintenance of audit trail systems based on the Regulated Institution’s risk assessment; maintain records for five years
Third-Party Service Providers
Required to include security language in contracts
Security guidelines to be provided to third-party service providers
More limited definition
Notice to NYDFS of Cybersecurity Events
If risk of materially affecting the Regulated Institution’s operations or nonpublic information
If risk of material harm to the Regulated Institution’s normal operations
Use of Affiliates to Help Comply with Requirements
Not permitted; only third party service providers permitted
Confidentiality Regarding Exemptions from Disclosure
Information provided by a Regulated Institution is subject to exemptions from disclosure under the Banking Law, Insurance Law, Financial Services Law, Public Officers Law, or any other applicable state or federal law
180 days from the effective date to comply with regulations
Adds three exceptions:
By March 1, 2018:
By September 1, 2018:
By March 1, 2019:
January 1, 2017
March 1, 2017
The NYDFS added several new exemptions in the Revised Proposed Regulations. Any Regulated Institution claiming an exemption must file a notice of exemption with the NYDFS. A Regulated Institution may be excluded from certain provisions, including appointing a CISO, penetration testing, application development, multifactor authentication, encryption and incident response plan obligations if it has (a) fewer than 10 employees or independent contractors; (b) less than $5 million in gross annual revenue in each of the past three fiscal years; or (c) less than $10 million in its and its affiliates’ GAAP year-end total assets. Additionally, if a Regulated Institution is an employee, agent, representative, or designee of another Regulated Institution, no program is required. Finally, a Regulated Institution that does not directly or indirectly maintain information systems or possess nonpublic information is exempt from most requirements of the Revised Proposed Regulations, except for requirements relating to risk assessments, implementation of written third party service provider policies, disposal of nonpublic information and notice to the NYDFS.
The NYDFS will finalize the Revised Proposed Regulations following a second notice and public comment period. Comments on the Revised Proposed Regulations are due January 27, 2017. We encourage Regulated Institutions to check whether their cybersecurity policies, procedures and programs comply with the Revised Proposed Regulations’ requirements.
For questions about the regulations or for assistance in ensuring compliance by March 1, 2017, please contact Jane Hils Shea.
Post a comment:
Ask the Blogger
Do you have a topic that you would like discussed in a future blog article? Please let us know. If you have a confidential question regarding a blog article, please feel free to contact the article's author directly, or let us know if you would like for someone to contact you directly.
Christopher C. Tieke is an associate in Frost Brown Todd's Louisville office, focusing his practice on business litigation. He graduated from the University of Cincinnati College of Law, with magna cum laude honors; served as an Associate Member of the University of Cincinnati Law Review; and participated in the Entrepreneurship and Community Development Clinic.