N.Y. Announces Revisions and Delayed Implementation of Cyber Regulations

In September 2016, New York Governor Andrew Cuomo announced a new regulation that would require banks and insurers to implement cyber security programs. Specifically, the proposed regulation required covered entities, defined as any entity operating under a license or other authorization required by New York’s banking, insurance or financial services law, to establish and maintain a cyber security program that would protect the confidentiality, integrity and availability of the covered entity’s information systems. This regulation was initially intended to take effect on January 1, 2017. However, on December 28, 2016, after reviewing over 150 comments submitted by the public, the New York Department of Financial Services (“DFS”) decided to revise the proposed regulation and delay its implementation until March 1, 2017.

Under the revised regulation, covered entities will be required to conduct a risk assessment on a periodic basis to ensure that they have an effective cyber security program and to update the program as reasonably necessary to address changes in technology, business operations and evolving threats to the entity’s information systems. The proposed regulation originally required cyber security programs to address all of the following areas:

• information security;
• data governance and classification;
• access controls and identity management;
• business continuity and disaster recovery planning and resources;
• capacity and performance planning;
• systems operations and availability concerns;
• systems and network security;
• systems and network monitoring;
• systems and application development and quality assurance;
• physical security and environmental controls;
• customer data privacy;
• vendor and third-party service provider management;
• risk assessment; and
• incident response.

The revised regulation, however, offers more flexibility by allowing each covered entity to tailor its cyber security program based on the risk assessment of its cyber security threats and protective measures. The areas listed above must only be included in the cyber security program to the extent they are applicable to the entity’s business operations. The revised regulation also added “asset inventory and device management” to the list of areas that may be included in an effective cyber security program, if applicable. Other revisions to the proposed regulation include:

• Clarification that the Chief Information Systems Officer (“CISCO”), appointed to manage a covered entity’s cyber security program does not have to be exclusively dedicated to CISCO activities.
  • Any existing employee of a covered entity that is qualified to perform CISCO activities may be appointed as the CISCO and may perform such activities in conjunction with his or her other job responsibilities. Alternatively, the CISCO can be an employee of an affiliate or third-party service provider of the covered entity.

• Addition of an exception to the limitation on data retention.
  • Under the new exception, a covered entity is not required to dispose of nonpublic information that is no longer necessary for business operations if such information is otherwise required to be retained by law or if the disposal of such information is not reasonably feasible because of the manner in which it is maintained.

• Deletion of any language that unintentionally suggested that covered entities are required to audit the information systems of their third party service providers.
  • However, covered entities will still be required to implement policies and procedures that protect nonpublic information that is accessible to any third parties that provide services to the covered entity.

• Revisions to the 72-hour reporting requirement when a cyber security event occurs.
  • Although many public comments expressed concern that 72 hours is not enough time to collect information and assess a potential cyber security event, DFS did not increase this timeframe for reporting a cyber security event to DFS. However, the revised regulation explains that a covered entity must only report an event within 72 hours if it determines that the event has a reasonable likelihood of materially harming a material part of its business operations.

• Addition of exemptions for small businesses in order to reduce the financial burden of complying with some of the requirements under the new regulation.
  • Small businesses with (i) less than 10 employees, including independent contractors; (ii) less than $5,000,000 in gross annual revenue in the past 3 fiscal years; or (iii) less than $10,000,000 in year-end total assets, including assets of all affiliates, must still conduct a period risk assessment and implement a cyber security program, but are exempt from complying with the following requirements: (a) utilizing a multi-factor authentication system to protect its information systems from unauthorized access; (b) appointing a CISCO to manage the cyber security program; (b) using qualified cyber security personnel to manage cyber security risks and protective measures; (c) training personnel based on risk assessment results; (d) encrypting all nonpublic information; and (e) establishing a written incident response plan. In addition, an employee, agent or representative of a covered entity that is itself a covered entity is exempt from developing its own cyber security program if its business operations are covered under the cyber security program of the covered entity for which it provides services. All covered entities that are exempt under the revised regulation must file a Notice of Exemption with DFS.

The revised regulation is subject to an additional 30-day public comment period, but DFS will only respond to comments that raise new issues and questions. Unless DFS decides to make further revisions based on the new comments it receives, the regulation will take effect on March 1, 2017. Thereafter, covered entities have 180 days to comply with the regulation. However, the regulation also provides a transition period whereby covered entities will have an extended timeframe to comply with certain requirements in order to reduce their financial and administrative burden. For example, covered entities will have 1 year to conduct a risk assessment, obtain a multi-factor authentication system and train personnel on their cyber security program. They will have 18 months to encrypt all nonpublic information and to dispose of any nonpublic information that is no longer needed for business operations (unless an exception applies). Finally covered entities will have 2 years to establish written policies and procedures that are designed to protect nonpublic information that is accessible to or held by third party service providers.

All covered entities will be required to certify with DFS on an annual basis that they have complied with the regulation and have maintained an effective cyber security program. The first annual certification will be due to DFS next year on February 15, 2018. DFS will likely issue additional guidance on complying with the new regulation in the near future. In the meantime, the revised regulation can be viewed at the following link: http://www.dfs.ny.gov/legal/regulations/proposed/rp500t.pdf.