Debevoise Analyzes Revised New York Cybersecurity Regulation for the Financial Sector

New York’s Department of Financial Services (DFS or the Department) has responded to a large volume of comments about its proposed, sweeping cybersecurity regulation for banks, insurers and other financial service providers by softening a number of provisions that many in the industry had criticized as onerous and overly prescriptive. On December 28, 2016, the Department published a revised regulation (the Revised Draft Regulation)[1] that altered its original, “first-in-the-nation” proposal issued on September 13, 2016 (the Original Draft Regulation).

Many had argued that the Original Draft Regulation should be more risk-based, along the lines of the NIST Cybersecurity Framework and similar guidelines-based approaches to cyber risk management, rather than a top-down list of detailed requirements.[2] The Revised Draft Regulation moves towards a more risk-based approach—in particular, elevating the significance of periodic risk assessments that covered entities will undertake. The regulation remains the most detailed and comprehensive ever introduced in the financial sector, however.

The Revised Draft Regulation is subject to a 30-day notice and comment period, ending January 27, 2017, which DFS has stated will focus on any new comments that were not previously raised in the original comment process.[3] Subject to any further revisions that arise out of the new comment process, the Revised Draft Regulation goes into effect on March 1, 2017 (extended from January 1 in the Original Draft Regulation), with a general transition period of six months from the effective date, subject to the new, section-specific transition periods noted below.

Notable Revisions to the Original Proposal

The Revised Draft Regulation adjusts many aspects of the Original Draft Regulation. DFS issued no redline version or explanation of its changes. We discuss here revisions to some of the most significant provisions.[4]

Cybersecurity Program and Policies, and Roles of Senior Management and the Board

Section 500.02 of the Revised Draft Regulation adds that the umbrella “cybersecurity program” that each Covered Entity must have shall be based on a periodic Risk Assessment, as further described in new language to Section 500.09, that the entity must conduct to identify the cybersecurity risks it faces and must use to shape its information security policies and procedures. The cybersecurity program itself must track the familiar NIST Framework categories with some modification: identification (of risks), defense (of systems and information), detection (of Cybersecurity Events), response and recovery (to said events), and fulfillment of regulatory reporting obligations. The upshot is that Covered Entities are given more latitude to design their cybersecurity programs (including the policies and procedures they contain) based on their periodic Risk Assessment. A notable change in the Revised Draft Regulation, clearly made in response to comments about duplication and other inefficiencies, allows a Covered Entity to adopt the qualifying cybersecurity program of an Affiliate.

One of the concerns of the Original Draft Regulation was the proposed requirement both for the board of directors to review and a Senior Officer to approve the firm’s cybersecurity policies and procedures (pursuant to Section 500.03). The Revised Draft Regulation eases this requirement by eliminating mention of board review and by allowing for approval either by the board or a Senior Officer.

Definition of Nonpublic Information

The Original Draft Regulation included three approaches to defining the sort of “Nonpublic Information” that DFS requires Covered Entities to protect: a general category of business information that would cause a “material adverse impact” if tampered with or disclosed; a category of information provided to a Covered Entity by consumers in connection with “seeking or obtaining” financial services; and a category of healthcare information.

The business information and healthcare category definitions are essentially unchanged in the Revised Draft Regulation. In preserving the “material adverse impact” test for business information, DFS overrode comments from the industry to the effect that such a test is vague and overbroad.

DFS did, however, rewrite the definition for the consumer information category. Where the previous version covered essentially all information that a consumer provides to a Covered Entity, the new definition is limited to markers that “can be used to identify such individual,” such as social security numbers, drivers’ license numbers, account numbers, passwords, and biometric identifiers. The net effect is to bring the scope of covered information substantially in line with New York’s breach disclosure statute, which includes a similar definition of covered personal information.[5]

Chief Information Security Officer, Periodic Reporting, and Annual Certification

On another governance point, although the requirement for each Covered Entity to have a Chief Information Security Officer (CISO) or equivalent is unchanged, the Revised Draft Regulation makes clear that the CISO may be employed by an Affiliate (or, as permitted before, by a Third Party Service Provider) and extends the CISO’s required periodic written reports to the board of directors from bi-annual to annual. The Revised Draft Regulation also limits the CISO’s reporting duty regarding cybersecurity risks and Cybersecurity Events to those that are “material.” Although the revision deletes the requirement that the report be made available to DFS, elsewhere in the Revised Draft Regulation (at Section 500.02), DFS has added a new requirement that “[a]ll documentation and information relevant to the Covered Entity’s cybersecurity program shall be made available to the superintendent upon request.” Notably, the Revised Draft Regulation retains the requirement that senior management annually certify compliance with the new rules.

Multi-Factor Authentication, Encryption and Access Privileges

One of the most troublesome aspects of the Original Draft Regulation had been the very broad requirements—tied largely to the broad definition of Nonpublic Information—to use Multi-Factor Authentication for seemingly all network access, and to encrypt nearly all data in transit or at rest. The Revised Draft Regulation makes welcome changes to both requirements. Multi-Factor Authentication is required only for individuals accessing the Covered Entity’s internal networks from an external network, and even then, only when the CISO has not approved the substitution of “reasonably equivalent or more secure access controls.” In all other cases, a Covered Entity need only implement “effective controls,” which “may include” Multi-Factor Authentication or Risk-Based Authentication. Perhaps even more significantly, the mandatory encryption requirements noted above are relaxed, in cases where encryption is “infeasible,” to allow for “alternative compensating controls” reviewed and approved by the CISO at least annually.

A small but significant change concerning access privileges eliminates the requirement that entities limit user access to Information Systems and Nonpublic Information on a “need to know” basis, requiring instead that access be limited (and reviewed periodically) based on the entity’s Risk Assessment.

Third Party Service Providers

Another controversial provision of the Original Draft Regulation required Covered Entities to establish third party information security policies and procedures that arguably treated all vendors the same way in terms of the risks they presented and the information security terms that could be imposed on them. Here, DFS made significant changes to move to a risk-based, guidelines approach by allowing each Covered Entity to base the specific terms of its vendor policies and procedures on the vendor risks identified in the entity’s overall Risk Assessment. The Revised Draft Regulation does require that policies and procedures at least address, “to the extent applicable,” how vendor risks will be assessed, what minimum security requirements are expected, and what due diligence is appropriate, among other considerations. Further, rather than compelling Covered Entities to impose particular contractual terms on all vendors, the Revised Draft Regulation softens this obligation by instead requiring entities to establish “relevant guidelines” addressing due diligence and/or contractual provisions covering such topics as the vendor’s relevant policies and procedures, representations and warranties concerning those policies and procedures, and notice of Cybersecurity Events, among other items.

Incident Response Plan

The detailed requirements in the Original Draft Regulation related to incident response planning were relaxed somewhat by the introduction of a materiality threshold, such that a Covered Entity’s incident response plan shall apply to a Cybersecurity Event “materially affecting” the confidentiality, integrity, or availability of the entity’s systems or operations. Given the extremely broad definition of Cybersecurity Event, which includes even unsuccessful attempts to gain unauthorized system access regardless of how insignificant or common they may be, this change should have a significant limiting effect, depending on how DFS will interpret the materiality threshold.

Breach Notification to DFS

The Original Draft Regulation included rigorous requirements for reporting Cyber Events to DFS within 72 hours to a degree that industry commenters said would be unduly burdensome and would require the over-reporting of incidents that ultimately prove to be unverified or immaterial. DFS has responded by narrowing the reporting thresholds in the Revised Draft Regulation: While the 72-hour trigger is preserved, the clock now begins to run from a determination that a Cyber Event either (i) is otherwise required to be reported to any government, self-regulatory or supervisory body (eliminating the previous tripwire that would have required DFS notice, for example, even when the Covered Entity seeks law enforcement help voluntarily), or (ii) causes a “reasonable likelihood of materially harming any material part of the normal operation(s) of the Covered Entity” (eliminating the troublingly broad requirement of notice for any “actual or potential unauthorized tampering”).  The revised approach should substantially reduce the reporting burden as a practical matter.

Miscellaneous Provisions

  • DFS has clarified and broadened the scope of exemptions from the new regulation—in particular, specifying that an “employee, agent, representative or designee” is exempt, so long as that person “is covered by the cybersecurity program of the Covered Entity.” This change will make obligations clearer and more predictable for companies that operate through decentralized networks of branches, independent agents and the like.
  • Training and testing requirements are now modified, so that the training curriculum and periodic system testing must be tied to issues identified in a Covered Entity’s Risk Assessment, and allowing for “continuous monitoring” instead of otherwise required annual penetration testing and bi-annual vulnerability assessments.
  • Audit trail documentation requirements are reduced from six years to five, and the requirements are now more focused on materiality.
  • Data retention requirements have been made somewhat more flexible by allowing retention of whatever is necessary for business operations “or for other legitimate business purposes” of the entity, or where targeted disposal is “not reasonably feasible” due to the manner in which the information is maintained.
  • A new confidentiality standard specifies that information disclosed under the regulation is subject to exemption from disclosure requirements that would apply under other laws, such as the Banking and Insurance Laws and, apparently, New York’s Freedom of Information Law.
  • Various new transitional periods are specified for particular sections, the net effect of which collectively is to give industry more time to comply; the longest of these is two years to implement the Third Party Service Provider Security Policy requirements.

Open Questions and Practical Issues

One of the most significant questions raised in the initial comment period that remains largely unaddressed by the Revised Draft Regulation is the extent to which DFS intends extraterritorial application of the Revised Draft Regulation. For example, as to a foreign-based banking institution with an affiliated branch in New York, will the bank choose to align its global cybersecurity program with New York’s broad requirements (thereby allowing the branch to take advantage of the new provision allowing a Covered Entity to fall under the qualifying program of an Affiliate), or instead develop a separate cybersecurity program only for its New York operations? If the latter, will DFS seek to inquire about how information security is managed for interconnected systems that extend outside of New York?

While the move to a more risk-based, guidelines-style approach is certainly welcome, the Revised Draft Regulation remains very broad and detailed. The scope of the Revised Draft Regulation likely will make compliance a challenge for many Covered Entities and particularly for smaller, less-resourced firms that will need to rely on outside vendors to become compliant. And, of course, with the favorable change to more flexible concepts such as “reasonable likelihood” and “material[ity]” as to cyber risks and events comes a degree of uncertainty about how DFS will interpret these concepts in practice. It will likely take several years before DFS’s expectations on these points are clarified.

ENDNOTES

[1]    http://www.dfs.ny.gov/legal/regulations/proposed/rp500t.pdf.

[2]    See National Institute of Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity, Version 1.0, February 12, 2014. https://www.nist.gov/sites/default/files/documents/cyberframework/cybersecurity-framework-021214.pdf.

[3]    http://www.dfs.ny.gov/about/press/pr1612281.htm.

[4]    We retain here DFS’s capitalization of defined terms and refer the reader to Section 500.01 of the Revised Draft Regulation for complete definitions of these terms.

[5]    New York General Business Law § 899-aa(1).

This post comes to us from Debevoise & Plimpton LLP. It is based on the firm’s client update, “New York Eases Proposed Cybersecurity Regulation for Financial Sector, But Practical Issues Remain,” dated January 3, 2017, and available here.