Virginia businesses could be subject to New York cyber regulation
Certain financial service businesses have just a few days to gear up for New York’s brand-new cybersecurity regulation. The new rule applies to all entities overseen by the New York Department of Financial Services (NYDFS) banking, insurance and financial service laws. The net scoops up commercial banks, foreign banks with New York licensed offices, mortgage brokers and servicers, small-loan lenders and money transmitters doing business in New York. Obviously, insurance companies, broker, agents (resident and non-resident), and others also fall within the scope. As Gov. Andrew Cuomo stated, “These strong, first-in-the-nation protections will help ensure this industry has the necessary safeguards in place” to protect businesses and clients “from the serious economic harm caused by these devastating cyber-crimes.”
The new regulation is perhaps the most detailed in the country to date and sets forth unprecedented requirements for covered entities. Yet, it also provides a good degree of flexibility for companies for implementation. The regulation becomes effective as of March 1. For those entities that sat back during the rule making and comment period, they may be behind the eight-ball at this point.
As noted in the introduction, “this regulation is designed to promote the protection of customer information as well as the information technology systems of regulated entities. This regulation requires each company to assess its specific risk profile and design a program that addresses its risks in a robust fashion.” To accomplish this goal, the NYDFS is mandating a host of action items for covered businesses. While compliance will prove a burden to many regulated businesses, the new law could be a boom to third-party cybersecurity providers that can provide assistance with compliance.
Virginia-based businesses, regulated by the NYDFS, are subject to the new regulation. Third-party vendors providing cybersecurity services to comply with the regulation also are required to meet the law’s standards, regardless of where they are located, if they are assisting a regulated entity. Therefore, the new regulation is not limited to New York-based entities. Are you caught in this cyber net? If so, here is what Albany expects from you.
Risk assessments, cyber programs and cyber policies
All NYDFS regulated companies are now required to conduct a thorough risk assessment. That term is not defined in the new regulation, but most of the required tasks are to be based off of it. Starting with a comprehensive risk assessment is critical in order to fully comply.
Next, covered businesses must develop and maintain a cybersecurity program “designed to protect the confidentiality, integrity and availability” of the company’s information system. The definition of “information system” is very broad to say the least. The mandated cybersecurity program must detect cybersecurity events; respond to them in order to mitigate the effects; recover from such events and restore normal operations; and comply with reporting requirements. The program must also include an incident response plan that addresses seven separate aspects in responding to a cyber event. It is important to note that the rule defines cyber events to include unsuccessful attacks into the information system. Companies face unsuccessful attacks daily, if not hourly, so this broad scope may pose a significant burden in reporting requirements demanded in the regulation.
In addition to implementation of a cybersecurity program, regulated businesses must develop a cybersecurity policy. The policy must be approved by the senior officer or board of directors. Again, the cybersecurity policy is to be based on the risk assessment, and address 14 discrete areas. Of particular note, the policy must address vendor and third-party service provider management. Cyber risk at a company’s vendors has posed a particular weak spot in many a cybersecurity plan. Most entities believe any data incident or breach at the vendor does not expose the customer to risk or liability – not true. If the data is yours, then it is your responsibility, and now NYDFS-governed businesses must get serious about their outside vendors.
Your newest employee or vendor – a chief information security officer
A chief information security officer (CISO) must be appointed if a covered business does not have one. The new officer must be qualified, but the regulation does not define what makes one qualified for the position. The CISO is responsible for implementation of the cybersecurity program as well as policy. Outside providers are permitted to serve in this role, but the company cannot delegate responsibility for compliance with the law to the outside CISO. The company must also retain oversight of the outside vendor, and ensure it also maintains a cybersecurity program that meets the covered entity’s regulatory obligations. Any outsourced cyber services permitted to comply with the new regulation requires the vendor also to comply with the law’s requirements. It does not matter where a NYDFS covered business is located, or where the vendor is based.
Monitoring and testing of the required cybersecurity program is mandated. The task may be accomplished by continuous monitoring or through periodic penetration testing and vulnerability assessments. Covered entities using the latter methods must annually conduct penetration testing of the information systems, and vulnerability assessments twice a year. Once again, the testing is to be guided by reference to the risk assessment. Not surprisingly, the NYDFS is now requiring companies to start limiting access privileges to the information systems. In other words, access is on a need-to-know basis. Companies must periodically review access privileges, and update as warranted.
Regulated entities must conduct risk assessments on a periodic basis. Furthermore, any risk assessment must be updated as necessary to address changes to its information systems, nonpublic information being held by the company, and business operations. The new regulation sets forth certain criteria that must form the policies and procedures of the risk assessment.
In addition to the mandated use of a CISO, companies must also utilize qualified cybersecurity personnel to address the cyber risks and handling of the cybersecurity program. Use of a third-party vendor is permitted in order to comply. However, such personnel must receive cyber updates and training to ensure they can address cybersecurity risks. While use of outside vendors to assist in implementing and complying with the requirements is permitted in many instances, the new regulation sets out a section full of requirements for such service providers to meet, which alone will require significant effort on the part of covered entities.
Protective measures now required
Multi-factor authentication is now mandated, but alternatively can be accomplished through risk-based authentication. Both are defined in the new regulation. A company must use the authentication method for accessing nonpublic information as well as accessing internal networks from external ones. Multi-factor authentication is becoming a required standard in cybersecurity compliance.
Companies must implement monitoring of authorized users access to nonpublic information, and provide all personnel with cybersecurity awareness training. Encryption, or other acceptable alternative when infeasible, is mandated for nonpublic information in transit or at rest. The CISO must approve the alternate method, and the decision must be reviewed annually.
New York wants to know you are complying
Cybersecurity events that require notification to any governmental entity, self-regulatory agency or supervisory body also must be reported to the NYDFS superintendent within 72 hours. The same is true for an event that has “a reasonable likelihood of materially harming any material part of the normal operations” of the covered entity. In addition, a company’s board of directors must submit an annual report to the superintendent certifying compliance with the regulation. For covered businesses, the risk of claims against directors & officer takes on a new scope in light of this requirement. This creates a new avenue of liability for directors and officers when they fail to ensure adherence to the new standards.
Regulated companies should immediately ensure they maintain the appropriate insurance coverage for claims that can be asserted for failure to comply with the new regulation when experiencing a cyber event. Such insurance policies include directors & officers, errors & omissions, cyber/data privacy and bankers liability. A comprehensive insurance program is critical for regulated businesses. A separate insurance program audit by outside coverage counsel is strongly encouraged in order to provide attorney-client protection to the analysis. Of course, policyholders must immediately address gaps discovered in coverage with their insurance attorneys and broker.
The NYDFS packed an extraordinary amount into a mere 12 pages. While the regulation is effective on March 1, it provides covered entities certain transition periods to come into compliance, spanning from 180 days up to two years. However, there is no time to waste for embarking on the path towards full compliance. In addition to adhering to the new rules, companies will have to certainly take additional actions in reviewing vendor agreements and insurance programs.
Naturally, smaller companies are exempt from the new regulation. Such companies include those with fewer than 10 employees; or less than $5 million in gross annual revenue in each of the last three fiscal years; or those companies with less than $10 million in year-end total assets. Of course, covered entities that do not possess nonpublic information, and are not required to, also are exempt. There are some other very niche exceptions.
Other industries should take heed, the new NYDFS regulation is likely a harbinger of things to come. While there are certain ambiguities in the final draft of the regulation, it certainly creates a new standard for cybersecurity that could easily be applied to many other lines of business. For those financial service businesses regulated by the NYDFS whether in New York or not, your time has come to be cyber savvy. The same is true for their cybersecurity vendors. Virginia companies subject to the new regulation need to ensure they get compliant.
Collin Hite is the practice leader of the Data Privacy & Security Group and the Insurance Recovery Group in Hirschler Fleischer's Richmond office. He can be reached at 804-771-9595 or [email protected].