An update to my article regarding the New York Department of Financial Services (DFS) proposed cybersecurity regulation (officially known as “23 NYCRR 500”).
Last month, the DFS revised its proposal in response to various comments to make some requirements easier while providing clarification on others (click to read the press release and revised regulation). The notice and public comment period for the revised rule ends on January 27, 2017, and finalization is expected shortly after the end of the comment period.
Here is a summary of key changes:
The proposed effective date is extended for two months – now March 1, 2017 rather than January 1, 2017. Covered entities have 180 days from the new effective date to comply, although the regulation allows additional time to comply with certain requirements, such as:
The original proposed regulation required a covered entity’s cybersecurity policy to address a list of 14 requirements. Now the policy can be based on the covered entity’s risk assessment and only needs to include the requirements to the extent they apply to the covered entity’s operations.
A covered entity must maintain a cybersecurity program based on its risk assessment. It can now comply with this requirement by adopting a cybersecurity program maintained by an affiliate, so long as the program covers the covered entity’s information systems and nonpublic information and complies with the proposal.
A covered entity was expected to maintain an audit trail system with six specific requirements for tracking and maintaining data. This has been revised to require the specified elements of the audit trail system based on the results of the risk assessment. Also, the six specific requirements for tracking and maintaining data were replaced with just the three elements noted below and qualified by materiality:
The requirements imposed on covered entities about third-party service providers’ cybersecurity were substantially modified:
A designated CISO is no longer required, so long as a qualified individual is in place to oversee and implement the covered entity’s cybersecurity program and enforce its cybersecurity policy.
The reporting and notice requirements were revised as follows:
Board Reports – The CISO’s report to the board of directors must now be in writing and delivered annually instead of biannually. Also, the report no longer needs to propose remedial steps for inadequacies identified in a covered entity’s cybersecurity program.
Note: One unclear point is whether the report still needs to be made available to the Superintendent upon request. The revised proposal no longer contains this language. However, under § 500.02(d) there is a requirement that “all documentation and information relevant to [a] covered entity’s cybersecurity program shall be made available to the superintendent upon request”).
Notice for any cybersecurity event that involves the actual or potential unauthorized tampering with, or access to or use of, nonpublic information is no longer required. Rather, now a covered entity must notify the DFS Superintendent within 72 hours if the cybersecurity event has a reasonable likelihood of materially harming any material part of the normal operations of the covered entity.
Nonpublic information no longer must be encrypted if the covered entity relies on other compensating controls and if encryption is not possible.
Note: While the deadlines for using compensating controls were removed, a review must be done at least annually to assess the feasibility of encryption and effectiveness of the compensating controls.
A confidentiality section was added to provide that information covered entities provide under the regulation will be subject to exemptions from certain disclosure laws.
The DFS modified its limited exemption for small covered entities and added other exemptions:
The summary of the regulation has been revised to reflect the updated proposal (click here).
Note: This information was prepared by Patty P. Tehrani, Lawyer and Founder of Policy Patty Toolkit, a consulting business that helps organizations develop, assess or enhance their governance, compliance and risk management programs, policies, controls and processes. The Policy Patty Toolkit provides general information only that does not constitute legal advice.
Sign up for our free weekly e-newsletter for more GRC articles, job postings, GRC events, white papers & more…..click here
Patty P. Tehrani is an experienced compliance counsel and advisor and the founder of the Policy Patty Toolkit (www.policypatty.com). Patty has expansive knowledge and expertise on policy development as well as governance and risk management programs, processes and controls. You can follow her on LinkedIn or contact her via firstname.lastname@example.org.