On September 13, 2016, the New York State Department of Financial Services (“NYDFS”) issued proposed cybersecurity regulations (“Original Proposed Regulations”) that would impose new, stringent cybersecurity requirements on banks, money transmitters, insurance companies, and other financial service providers regulated by the NYDFS (collectively, “Regulated Institutions”).
During the 45-day notice and public comment period, NYDFS received over 150 comments from Regulated Institutions, trade associations, individuals and third party service providers, including cybersecurity service providers. On December 28, 2016, the NYDFS published revised proposed regulations (“Revised Proposed Regulations”) to address the comments received. Below is a table summarizing the most salient changes to the Original Proposed Regulations. Please note that the information in the table is not a comprehensive summary of the proposed regulations.
|Requirement||Original Proposed Regulation||Revised Proposed Regulation|
|Chief Information Security Officer
|Appointment of an exclusive CISO with only information security duties; bi-annual written reports to the Regulated Institution’s governing body||Appointment of a non‑exclusive CISO who may perform other functions; annual written reports to the Regulated Institution’s governing body|
|Data Retention and Destruction||Destroy nonpublic information no longer necessary to provide products and services||May maintain nonpublic information if necessary for business operations or other legitimate purposes|
|Penetration Testing and Vulnerability Assessments||Annual penetration testing and quarterly vulnerability assessments||Continuous monitoring or periodic penetration testing and vulnerability assessments; absent effective continuous monitoring, the Regulated Institution must conduct annual penetration and bi-annual vulnerability assessments|
|Access Privileges||Limited to individuals who require access to perform their responsibilities||Limited to individuals based on the Regulated Institution’s risk assessment|
|Multifactor Authentication||Multifactor authentication and risk-based authentication for specified circumstances||Regulated Institutions select appropriate controls, which may include multifactor or risk-based authentication, based on its risk assessment|
|Encryption||Compensating controls for a limited transition period: one year for encryption of data in transit and five years for encryption of data at rest||Compensating controls may be used indefinitely for nonpublic information in transit and at rest, as approved by the CISO who annually reviews feasibility and effectiveness|
|Audit Trail||Maintenance of audit trail systems based on prescriptive requirements; maintain records for six years||Maintenance of audit trail systems based on the Regulated Institution’s risk assessment; maintain records for five years|
|Third-Party Service Providers||Required to include security language in contracts||Security guidelines to be provided to third-party service providers|
|Nonpublic Information||Broad definition||More limited definition|
|Notice to NYDFS of Cybersecurity Events||If risk of materially affecting the Regulated Institution’s operations or nonpublic information||If risk of material harm to the Regulated Institution’s normal operations|
|Use of Affiliates to Help Comply with Requirements||Not permitted; only third party service providers permitted||Permitted|
|Confidentiality Regarding Exemptions from Disclosure||None||Information provided by a Regulated Institution is subject to exemptions from disclosure under the Banking Law, Insurance Law, Financial Services Law, Public Officers Law, or any other applicable state or federal law|
|Transitional Period||180 days from the effective date to comply with regulations||Adds three exceptions:
By March 1, 2018:
By September 1, 2018:
By March 1, 2019:
|Effective Date||January 1, 2017||March 1, 2017|
The NYDFS added several new exemptions in the Revised Proposed Regulations. Any Regulated Institution claiming an exemption must file a notice of exemption with the NYDFS. A Regulated Institution may be excluded from certain provisions, including appointing a CISO, penetration testing, application development, multifactor authentication, encryption and incident response plan obligations if it has (a) fewer than 10 employees or independent contractors; (b) less than $5 million in gross annual revenue in each of the past three fiscal years; or (c) less than $10 million in its and its affiliates’ GAAP year-end total assets. Additionally, if a Regulated Institution is an employee, agent, representative, or designee of another Regulated Institution, no program is required. Finally, a Regulated Institution that does not directly or indirectly maintain information systems or possess nonpublic information is exempt from most requirements of the Revised Proposed Regulations, except for requirements relating to risk assessments, implementation of written third party service provider policies, disposal of nonpublic information and notice to the NYDFS.
The NYDFS will finalize the Revised Proposed Regulations following a second notice and public comment period. Comments on the Revised Proposed Regulations are due January 27, 2017. We encourage Regulated Institutions to check whether their cybersecurity policies, procedures and programs comply with the Revised Proposed Regulations’ requirements.