On September 13, 2016, the New York State Department of Financial Services (“DFS”) released draft regulations on cybersecurity potentially effecting all entities licensed or permitted by DFS. The DFS Press release is here: http://www.dfs.ny.gov/about/press/pr1609131.htm and the draft regulations can be found here: http://www.dfs.ny.gov/legal/regulations/proposed/rp500t.pdf. DFS first announced its intention to issue these regulations in a letter to federal regulators in November 2015, seeking collaboration with the relevant federal authorities.
In the DFS press release, Governor Cuomo noted that “New York, the financial capital of the world, is leading the nation in taking decisive action to protect consumers and our financial system from serious economic harm that is often perpetrated by state-sponsored organizations, global terrorist networks, and other criminal enterprises. This regulation helps guarantee the financial services industry upholds its obligation to protect consumers and ensure that its systems are sufficiently constructed to prevent cyber-attacks to the fullest extent possible.” See http://www.dfs.ny.gov/about/press/pr1609131.htm.
Under the draft regulations, DFS-regulated entities must:
- establish and maintain a cybersecurity program;
- implement a written cybersecurity policy to be reviewed and approved by the entity’s board of directors;
- designate a Chief Information Security Officer (“CISO”);
- engage in annual penetration testing and quarterly vulnerability assessments;
- create an audit trail to allow for reconstruction of financial transactions when responding to a data breach;
- limit access privileges to those individuals that require them to perform their responsibilities;
- include in the entity’s cybersecurity program controls for security in externally developed applications;
- conduct an annual risk assessment;
- employ or outsource appropriate cybersecurity personnel;
- implement written vendor security policies;
- implement multi-factor authentication for access to the entity’s systems;
- appropriately limit data retention, so as to reduce the risk of protected data being breached;
- implement appropriate cybersecurity training;
- encrypt information protected under the regulations in transit and at rest;
- establish a written incident response plan; and
- notify the DFS Superintendent within 72 hours of discovery of a cybersecurity event that can have a material effect on the operations of the entity or protected information.
The regulations have a proposed effective date of January 1, 2017 and will allow 180 days for compliance, which DFS regulated entities will have to certify in writing to DFS.
The draft regulations also cover types of information not directly related to financial services, including health care information and “[a]ny information that can be used to distinguish an individual or trace an individual’s identity,” including “employment information.” This broad sweep causes the draft DFS regulations to overlap with other regulatory schemes, such as the various state data breach notification and cybersecurity requirements, HIPAA, the Gramm-Leach-Bliley Act, and potentially the Federal Trade Commission Act.