The next phase of New York’s cybersecurity rules entered into force on September 4, 2018, requiring Covered Entities, including insurance companies, banks, and other financial services companies regulated by the New York State Department of Financial Services (“NYDFS”), to encrypt confidential data in transit over external networks and at rest, monitor user activity, implement secure data disposal procedures, and maintain audit trails of network activity and significant transactions. In 2017, the NYDFS published cybersecurity regulations requiring Covered Entities regulated by the NYDFS to comply with new cybersecurity requirements intended to protect customer data. Even though the regulations became effective in 2017, the implementation dates are staggered in order to give Covered Entities time to comply. In addition to Covered Entities, the NYDFS, through a separate rulemaking, is also requiring consumer credit reporting agencies to comply with the cybersecurity requirements.
Some of the key aspects of the rules include:
- Applicability (Section 500.01): The New York cybersecurity rules broadly apply to “Covered Entities,” which include natural persons or businesses “operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization” under New York’s banking, insurance, and financial services laws. The Frequently Asked Questions section published by the NYDFS stress that “given the ever-increasing cybersecurity risks that financial institutions face, DFS strongly encourages all financial institutions, including New York branches of out-of-state domestic banks, to adopt cybersecurity protections consistent with the safeguards and protections” of the cybersecurity rules.
- Exemptions (Section 500.19): There are certain exceptions from the NYDFS rules, including Covered Entities that have fewer than 10 employees based in New York; less than $5 million in gross revenue over each of the past three years; or less than $10 million in total assets. There are some more limited exceptions as well.
- Penalties: The penalties for noncompliance with the cybersecurity rules include monetary penalties, injunctive relief, and orders requiring corrective action. Under the separate consumer credit reporting agency requirements, the NYDFS superintendent has the authority to deny, suspend, or revoke a consumer credit reporting agency’s authorization to do business in the state.
As of September 4, 2018, Covered Entities are required to comply with provisions related to the following:
- Audit Trail (Section 500.06): Covered Entities must securely maintain systems that: (1) are designed to reconstruct material financial transactions sufficient to support normal operations and obligations of the Covered Entity and maintain such records for at least five years; and (2) include audit trails designed to detect and respond to cybersecurity events that have a reasonable likelihood of materially harming any material part of the normal operations of the Covered Entity and maintain such records for at least three years.
- Application Security (Section 500.08): Each Covered Entity’s cybersecurity program must include written procedures, guidelines, and standards designed to ensure the use of secure development practices for in-house developed applications utilized by the Covered Entity, and procedures for evaluating, assessing or testing the security of externally developed applications utilized by the Covered Entity within the context of the Covered Entity’s technology environment. These procedures, guidelines, and standards must be periodically reviewed, assessed, and updated as necessary by the Chief Information Security Officer, or a qualified designee, of the Covered Entity.
- Limitations on Data Retention (Section 500.13): Each Covered Entity must implement policies and procedures for the secure disposal of any nonpublic information that is no longer necessary for business operations or for other legitimate business purposes of the Covered Entity. However, there is an exception where such information is otherwise required to be retained by law or regulation, or where targeted disposal is not reasonably feasible due to the manner in which the information is maintained.
- Monitoring (Section 500.14(a)): Each Covered Entity must implement risk-based policies, procedures, and controls designed to monitor the activity of authorized users and detect their unauthorized access or use of, or tampering with, nonpublic information by such authorized users.
- Encryption of Nonpublic Information (Section 500.15): All nonpublic information at rest and in transit must be encrypted. Covered Entities will have to certify their compliance with this regulation on an annual basis. To the extent encryption is infeasible, nonpublic information may be secured using “effective alternative compensating controls” that have been reviewed and approved by the Covered Entity’s Chief Information Security Officer.
The NYDFS provides a Frequently Asked Questions section regarding the rules and compliance on their website.
There are additional requirements and key dates on the horizon, including:
- November 1, 2018: Every consumer credit reporting agency that is deemed to be a Covered Entity must comply with the NYDFS’ cybersecurity requirements (e.g., maintain a cybersecurity program and policy, audit trail, etc.). There are additional deadlines for consumer credit reporting agencies included in Section 201.07.
- February 15, 2019: By February 15, 2019, Covered Entities must submit a certification of compliance with respect to the above requirements, in addition to those requirements for which compliance was already required (e.g., Chief Information Security Officer reporting, bi-annual vulnerability assessments, risk assessments, multi-factor authentication, and training and monitoring identified in the Covered Entity’s risk assessment).
- March 1, 2019: Covered Entities that utilize third-party service providers must adopt written policies and procedures that are based on a risk assessment and designed to ensure the security of information systems and nonpublic information that are accessible to third-party service providers as specified in Section 500.11.
- February 15, 2020: Covered Entities must submit a certification of compliance with the Third Party Service Provider Security Policy found in Section 500.11.
At the end of the day, these new requirements likely impact many elements of the operations of a Covered Entity. The regulations are also likely to indirectly impact many service providers that process nonpublic information for Covered Entities as Covered Entities revise their requirements for their service providers to meet the new requirements. As such, Covered Entities and their service providers should assess the possible impact of these new and existing requirements on their business, especially since there are additional requirements set to take effect in the future. Covered consumer credit reporting agencies should also assess their compliance.
If you have any questions regarding privacy or consumer issues, please contact one of the authors or any member of Arnall Golden Gregory’s Privacy and Consumer Regulatory Practice Group.
Kevin L. Coy is a Privacy Partner in Arnall Golden Gregory LLP’s Washington, D.C. office.