Richard Borden, Counsel, Robinson + Cole
Daniel Garrie, Managing Director, Law and Forensics
Yoav M. Griver, Partner, Zeichner Ellman & Krause LLP
On September 13, 2016, Governor Cuomo of New York announced Cybersecurity Requirements for Financial Services Companies (the “Regulation”), the first true Cybersecurity regulation intended to protect Financial Services companies and consumers. While prior laws and regulations have primarily focused on protecting the personal consumer information, the Regulation is different. While the Regulation does not ignore individuals, it focuses on the heart of Cyber risk at Financial Services companies who “operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the banking law, the insurance law or the financial services law,” and their vendors. Thus, the Regulation, which will be overseen by The Department of Financial Services (the “Department”), is a direct and sweeping attempt at creating a regulatory oversight regime for cybersecurity in an area universally considered critical to New York and the United States.
The Regulation goes beyond requirements for protecting personal information to broadly outline the duties and responsibilities of Covered Entities. The integrity and protection of Information systems and attendant Nonpublic information - which includes “[a]ny business related information of a Covered Entity the tampering with which, or unauthorized disclosure, access or use of which, would cause a material adverse impact to the business, operations or security of the Covered Entity” - are the core of the Regulation.
Covered Entities must establish and maintain a cybersecurity program designed to ensure the confidentiality, integrity and availability of Information Systems. The cybersecurity program must perform 6 core functions: (i) identify cyber risks; (ii) protect Information Systems and Nonpublic Information; (iii) detect Cybersecurity events; (iv) respond to, and mitigate, such events; (v) recover from such events; and (vi) fulfill all regulatory reporting obligations. While these functions are non-controversial, the Regulation has some challenging elements. For example, the “identification” function requires that the program identify (i) the Nonpublic Information stored on Information Systems, (ii) the sensitivity of such Nonpublic Information and (iii) how and by whom such Nonpublic Information may be accessed. This will require data classification systems and processes that subcategorize sensitive information, as well as clear authentication and access management.
Covered Entities are required to implement and maintain a detailed written cybersecurity policy, and accompanying procedures, that must be reviewed by the Board of Directors, and approved by a senior officer or committee who has responsibility for the management, operations, security, information systems, compliance “and/or” risk of the Covered Entity. This committee appears to require inclusion of parties beyond IT and Information Security in the development and approval of cybersecurity policies. The company’s compliance and risk organizations are now required approvers of the cybersecurity policy.
Further, Covered Entities must now have a qualified Chief Information Security Officer (“CISO”), and cybersecurity personnel sufficient to manage the cybersecurity risks and perform the core functions. Such personnel must be trained regularly and “take steps to stay abreast of changing cybersecurity threats and countermeasures.”
A Covered Entity’s cybersecurity program must also be designed to ensure the security of Information Systems and Nonpublic Information accessible to, or held by, third parties doing business with the Covered Entity. The third party policies and procedures must cover a broad set of initial and ongoing risk identification and assessment practices and due diligence requirements. The third party policies and procedures must include preferred contractual terms addressing a series of topics, including multi-factor authentication, encryption of data in transit and at rest, notice of breaches, representations and warranties and audit rights. How some of this will work in multi-tenant environments is unclear. In addition, Covered Entities are required annually to submit to the Department a written statement certifying compliance with the Regulation.
The Regulation gets into considerable detail concerning a number of other important areas of cybersecurity, including penetration testing and vulnerability assessments, how audit trails are created and maintained, access privileges, application security, training and monitoring and limitations on data retention. Of particular note, there is a requirement that the Covered Entity encrypt data in transit and at rest. There are one year and five year periods to come into compliance with these requirements if such encryption is “infeasible” at the current time, but appropriate alternative compensating controls must be enacted and approved by the CISO during any transition period.
The Covered Entity must have a written incident response plan designed to promptly respond to, and recover from, any Cybersecurity Event affecting the confidentiality, integrity or availability of the Covered Entity’s Information Systems or the continuing functionality of any aspect of the Covered Entity’s business. This requirement reaches far beyond traditional business continuity planning. The ability to recover from integrity attacks in the form of advanced persistent threats is a process many organizations don’t fully understand. In the event of a material breach, the Covered Entity is required to immediately notify the Department.
Additionally, there appear to be two reports that must be prepared. First, the CISO must develop a report that, at least bi-annually, assesses the confidentiality, integrity and availability of Information Systems, and the effectiveness of the cybersecurity program. Second, the Covered Entity must conduct an annual risk assessment of Information Systems as part of the requirement to create written policies and procedures that define the scope of risk. Each report must be made available to DFS. These reports will necessarily require control testing of systems and data processes and procedures from the bottom of the company to the top. The nearest analogous methodology for such reporting may be the Sarbanes-Oxley 404 control testing regime.
The Regulation is dense with content and requirements; it will create a sea change in how companies, and particularly legal and compliance departments within Covered Entities and their vendors, view and support the cybersecurity function. Time will also tell whether this new Regulation will create an applicable standard of care or duty in Cybersecurity that will help to more properly define the scope and limits of a company’s liability in the event of a cyber breach.
The opinions expressed are those of the author(s) and do not necessarily reflect the views of Robinson + Cole, Law & Forensics, JAMS, Zeichner Ellman & Krause LLP, their clients, or any of its or their respective affiliates. This article is for general information purposes and is not intended to be and should not be taken as legal advice.