On December 28, 2016, the New York Department of Financial Services (“DFS”) published in the State Register a revised proposed cybersecurity regulation (23 NYCRR 500). The deadline to submit comments on this version is January 27, 2017, and the proposed effective date of the regulation is March 1, 2017. This version of the proposed regulation took into account the over 150 comments received since the DFS first proposed the regulation in September.
While maintaining the structure and subject matter of the original draft proposal, the revised cybersecurity regulation attempts to provide more flexibility and company customization. It does so by (1) simplifying some of the requirements; (2) linking compliance to items material to the regulated entities; and (3) loosening up the reporting and timing requirements found in the original draft. Unlike the initial proposed regulation, the new version now provides entities with an eighteen-month transitional period to create written procedures to ensure the security of their applications, establish policies for the secure disposal of nonpublic data, and develop an audit trail system, and a two year transitional period to develop and implement written policies and procedures for their third-party vendors.
Risk Assessment for Customized Compliance Reflective of Business Operations
One of the biggest changes in the proposed regulation is it now requires companies to perform a “Risk Assessment” to determine how to structure its cybersecurity program in compliance with the regulation. Section 500.09 specifically requires a covered entity to conduct periodic Risk Assessments, which are carried out in accordance with written policies and procedures, and document the entity’s cybersecurity risks, how the risks will be addressed. While the original proposal contained the Risk Assessment concept, it is now a key component of how an entity’s cybersecurity program should be designed and how an entity can demonstrate compliance with the regulation.
The Risk Assessment and cybersecurity program is no longer cookie-cutter; it must be based on the individualized aspects of the entity and the specific risks it faces. Section 500.09 specifically requires a covered entity to conduct periodic Risk Assessments, which are carried out in accordance with written policies and procedures, and document the entity’s cybersecurity risks and how the risks will be addressed. A Risk Assessment must be conducted periodically (as opposed to annually), it must be updated as reasonably necessary to address changes and must allow for revision of controls to respond to technological developments and evolving threats and the particular risks of the entity’s business operations as they relate to cybersecurity.
Thus, a small entity collecting little nonpublic information will not be subject to the same security standards of a large corporation collecting large amounts of nonpublic information as Risk Assessment policies and procedures need only address the evaluation and categorization of identified cybersecurity risks or threats facing the entity. This theme runs throughout the revised proposal, including the provisions governing an entity’s cybersecurity policy (500.03), audit trail (500.06), access privileges (500.07), third party service provider security policy (500.11), multi-factor authentication (500.12, now only required for accessing entity’s internal networks from an external network)) and encryption (500.15, see below).
Encryption Not Required
The original proposed regulation required entities to encrypt nonpublic information within five years. Under the new proposed regulations, to the extent an entity determines that encryption of nonpublic information at rest or in transit over external networks is infeasible, the entity may use effective, alternative chief information security officer (“CISO”) approved compensating controls. These compensating controls must be reviewed annually (500.15).
More Flexibility for an Entity’s Cybersecurity Program
Some other key changes include eliminating the requirement that an entity’s cybersecurity program be designed to “ensure” the confidentiality, integrity and availability of the entity’s information systems. The revised proposal substitutes the word “protect” for “ensure.” The requirement that the cybersecurity program fulfill all regulatory reporting obligations has been changed to fulfill “applicable” regulatory reporting obligations.
Affiliate’s Program (500.02): The proposed regulation allows an entity to adopt a cybersecurity program maintained by an affiliate (assuming it qualifies). This avoids each entity in a family of entities from developing and maintaining a separate cybersecurity policy and allows for an overall group policy.
CISO (500.04): The proposed regulation also allows an entity to designate an affiliate’s CISO, use a third party provider to fulfill the role, or designate an employee as its CISO. The CISO need only report annually on the entity’s cybersecurity program (as opposed to bi-annually), to the entity’s board of directors.
Outsourcing (500.10): Cybersecurity personnel no longer have to be employed by the entity, but can be employees of an affiliate or a third party service provider. The training that must be provided to cybersecurity personnel need only be sufficient to address relevant cybersecurity risks to the entity.
Cybersecurity Policy (500.03): An entity’s cybersecurity policy, which under the revised proposal will be based on the entity’s Risk Assessment, need only address the areas applicable to the entity’s operations. Asset inventory and device management were added to the now fourteen items to be addressed in the cybersecurity policy (to the extent applicable).
In relation to the twelfth item “vendor and third party service provider management,” the revised proposal provides more guidance on what constitutes a third party service provider. The proposed regulation now defines “third party service provider” as a person that is not an affiliate of the entity and provides services to the entity and maintains, processes or otherwise is permitted access to nonpublic information through its provision of services to the entity.
Narrowing of Notice Requirement
The proposed regulation still includes a 72 hour notice requirement of a cybersecurity event, but limits it to those cybersecurity events in which the entity must report to any government body or self-regulatory or supervisory body and those that have a reasonable likelihood of materially harming any material part of the normal operations of the entity (500.17).
Exemptions
Exemptions to the regulation now include entities with fewer than 10 employees, including independent contractors, and others what qualify for exemption under new subsections 500.19(b), (c), (d) and (e). This includes an employee, agent, representative or designee of an entity, who itself is a covered entity. There is a form Appendix B that has to be used for those seeking a limited exemption under this regulation.
Next Steps: Effective Dates, Comment Period and Compliance
The new public comment period ends January 27, 2017. The DFS will focus its review on any comments not previously received. The effective date of this proposed regulation is March 1, 2017. Annual certifications start on February 15, 2018.
Companies subject to the General Data Protection Regulation (“GDPR”), the European Union’s new data protection law that will be applied starting May 25, 2018, will likely easily be able to meet the compliance deadlines set forth in the revised proposed regulation. Those entities not subject to GDPR should aim to have a plan in place to meet the compliance deadlines no later than mid-2017.