In 2017, the New York State Department of Financial Services (DFS) enacted cyber security regulations (Regulations), which took effect between 2017 and 2019. The Regulations apply to businesses under the jurisdiction of the Department of Financial Services, i.e., entities operating under or requiring DFS licensure or registration (covered entities). For example, all New York State (NYS) licensed insurance companies and NYS-chartered banks and credit unions are subject to the Regulations.
The Regulations, codified at 23 NYCRR 500, includes 23 sections. Together, they outline the requirements for developing and implementing a comprehensive cybersecurity program, which requires covered entities to assess their cybersecurity vulnerabilities, develop a written cybersecurity policy, and implement an incident response plan.
The requirements for covered entities’ cybersecurity programs were designed to align with the National Institute of Standards and Technology Cybersecurity Framework. Compliant programs will perform these core functions:
- Identify internal and external cybersecurity threats;
- Employ defensive infrastructure;
- Detect cybersecurity events;
- Mitigate the effects of cybersecurity events;
- Plan for the restoration of operations in case of an event; and
- Fulfil the reporting requirements outlined in the regulation.
Covered entities’ written cybersecurity policies must address a host of specific topics such as information security, customer data privacy, and incident response. Policies must outline their procedures for protecting information systems and any nonpublic information they store and align with industry best practices and ISO 27001 (International Organization for Standards) standards. They must also be tailored in such a way that information not otherwise legally obligated to be retained and that there is no independent business justification for storing be periodically deleted.
Written incident response plans must detail covered entities’ steps following any event “affecting the confidentiality, integrity or availability” of its information systems or the functionality of its operations. The plans should cover the internal processes for responding to a breach, the roles and responsibilities of those within or without the entity, remediation, documentation, and post-event evaluation.
Key for incident response, the Regulations provide that any cybersecurity event which is either required to be reported or which has “a reasonable likelihood of materially harming any material part of the normal operation(s) of the Covered Entity” must be reported to the DFS Superintendent within 72 hours.
One of the Regulations’ mandates is that covered entities limit user access privileges so that nonpublic information is only available to personnel who have a legitimate need to work with it. All personnel are to be provided cybersecurity awareness training, such as is justified by their level of access. Certain “core cybersecurity functions,” as defined in the Regulations, must be overseen by qualified cybersecurity personnel. It is covered entities’ responsibility to verify that these personnel keep up to date on the constantly shifting landscape of threats and countermeasures.
One of the core functions is conducting periodic risk assessments to evaluate the “confidentiality, integrity, security and availability of the covered entity’s information systems and nonpublic information.” The goal of these assessments is to identify vulnerabilities and respond proactively to threats. Covered entities must conduct annual “penetration testing” and biannual “systematic vulnerability assessments.”
Covered entities must appoint a Chief Information Security Officer (CISO), responsible for maintenance and oversight of their cybersecurity program and enforcement of their cybersecurity policy. CISOs must annually certify that their covered entity is in compliance with the Regulations. CISOs are also responsible for providing an annual written report to their covered entity’s Board of Directors (or equivalent) detailing the status and effectiveness of the entity’s cybersecurity program. CISOs can be in-house, or covered entities may tap an affiliate or a third-party service provider to fulfill the requirement. If a covered entity’s CISO doesn’t work in-house, the covered entity remains liable for compliance and must designate senior personnel to oversee the CISO.
There is a justifiably renewed urgency for covered entities to get their cybersecurity house in order over recent months. In addition to the widely publicized ransomware attacks derailing major business interests on an almost weekly basis, DFS has begun levying major fines on covered entities with lax compliance. In March, DFS announced that Residential Mortgage Services agree to pay $1.5 million to settle violations stemming from failure to report a breach, the result of a common phishing scam, that led to unauthorized access to a “significant amount of sensitive personal data” of customers. Then in April, National Securities Corporation agreed to pay a $3 million penalty for its failure to report two breaches of confidential data between 2018 and 2020.
Entities that would otherwise be subject to the Regulations, but that employ less than 10 people, generate less than $5 million in gross annual revenue from NYS operations, or hold less than $10 million in year-end total assets are exempt from some of the requirements. This may afford some protection from DFS retribution, but all entities that store or trade in sensitive data would be well advised to implement a thorough cybersecurity program that tracks closely to what is required by the DFS regulations.
Your organization’s obligations regarding DFS Regulations are based upon its circumstances. Implementation of a cybersecurity program can be facilitated by the advice of experienced legal counsel. Please feel free to reach out to attorneys Justin Furry or Christopher Baiamonte at the Wladis Law Firm at (315) 445-1700 with questions regarding anything in this article.
Justin S. Furry
Mr. Furry received his BBA from the University of Toledo and his JD from Syracuse University College of Law.