We wanted to keep you informed on the progress of the DFS cybersecurity regulations, as they complete their journey through the approval process. DFS has been working on the regulations since its 2013-2014 studies on cybersecurity risks to financial institutions. As reported in our article, Getting Prepared for the New York Department of Financial Services’ Proposed Cybersecurity Regulations, the original proposed regulations were published on September 28, 2016. The revised regulations were published on December 28, 2016. A Notice of Adoption was published in the New York State Register last week announcing the adoption of the final regulations.
The Notice of Adoption noted that DFS received 60 comments on the revised regulations published on December 28, 2016 – but that it determined that most of the comments made were either unnecessary changes to the scope, wording or meaning of the regulations. Several comments were received asking DFS to hold off on finalizing the regulations until the federal government had implemented regulations, or to make efforts to harmonize the DFS regulations with existing (or proposed) state and federal standards, but DFS rejected these suggestions, stating that “it is vitally important to establish regulatory minimum standards for cybersecurity practices to address challenges currently facing the New York financial services sector.”
So what changes were made? To recap, the December 28, 2016 regulations made several key changes (see our article, New York Releases Revised Proposed Cybersecurity Regulations). The final regulations include “nonsubstantive” changes to several sections, including:
-
A tweak to the definition of “penetration testing” in Section 500.01(h) (“unauthorized penetration testing” was changed to “penetration testing”);
-
The responsibilities for implementing a cybersecurity program in Section 500.02 were clarified by language that states the covered entity may adopt “the relevant and applicable provisions of” a cybersecurity program that its affiliates maintain;
-
The Penetration Testing and Vulnerability Assessment provisions of Section 500.05 were revised to delete some duplicative language relating to periodic penetration testing;
-
The required retention period for audit trails Section 500.6 was decreased to three years (from five);
-
The events that must be reported to DFS under Section 500.17 were clarified (by eliminating some extraneous language) and language was added to clarify that the annual report would cover the prior calendar year;
-
The exemptions in Section 500.19 were revised to clarify that the thresholds in (a) are applied taking into account the operations of a covered entity and its affiliates, to clarify the scope of the exemptions (a new (d) was added to exempt Article 70 entities) and to clarify that notices of exemption must be filed within 30 days of making the determination that the entity is exempt.
The transitional periods for compliance with the final regulations have not changed in the final rule. Compliance is required within 1 year for the regulations relating to:
-
Annual reporting to the covered entity’s board
-
Penetration testing and vulnerability assessments
-
Risk assessments
-
Multi-factor authentication
-
Cybersecurity awareness training
Compliance is required within 18 months for the regulations relating to:
-
Audit trails
-
Application security
-
Limitations on data retention
-
Monitoring the activity of authorized users
-
Encryption of nonpublic information
There is a two year period for compliance with the third party service provider provisions; for all other provisions, entities should be in compliance within 180 days.
The final regulations continue to define a “Covered Entity” as “any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law, or the Financial Services Law.”