Reviewing Key Changes
The New York State Department of Financial Services (“DFS”) has revised its proposed cybersecurity rule in response to concerns submitted to its original proposal issued last September. Patty Tehrani, lawyer and founder of Policy Patty Toolkit, outlines the changes, including to exemption sections, board reporting and notice requirements.
By: Patty Tehrani
An update to my article regarding the New York Department of Financial Services (DFS) proposed cybersecurity regulation (officially known as “23 NYCRR 500”).
Last month, the DFS revised its proposal in response to various comments to make some requirements easier while providing clarification on others (click to read the press release and revised regulation). The notice and public comment period for the revised rule ends on January 27, 2017, and finalization is expected shortly after the end of the comment period.
Here is a summary of key changes:
The proposed effective date is extended for two months – now March 1, 2017 rather than January 1, 2017. Covered entities have 180 days from the new effective date to comply, although the regulation allows additional time to comply with certain requirements, such as:
- One year – requirements for reporting, penetration testing, risk assessments and vulnerability assessments;
- 18 months – requirements involving audit trail, data retention and encryption; and
- Two years – requirements for the third-party service provider security.
The original proposed regulation required a covered entity’s cybersecurity policy to address a list of 14 requirements. Now the policy can be based on the covered entity’s risk assessment and only needs to include the requirements to the extent they apply to the covered entity’s operations.
A covered entity must maintain a cybersecurity program based on its risk assessment. It can now comply with this requirement by adopting a cybersecurity program maintained by an affiliate, so long as the program covers the covered entity’s information systems and nonpublic information and complies with the proposal.
A covered entity was expected to maintain an audit trail system with six specific requirements for tracking and maintaining data. This has been revised to require the specified elements of the audit trail system based on the results of the risk assessment. Also, the six specific requirements for tracking and maintaining data were replaced with just the three elements noted below and qualified by materiality:
- The system is designed to reconstruct material financial transaction sufficient to support normal operations and obligations.
- The system must include audit trails designed to detect and respond to cybersecurity events that have a reasonable likelihood of materially harming any material part of normal operations.
- A record maintenance requirement for at least five years.
Third-Party Service Provider Security Policy
The requirements imposed on covered entities about third-party service providers’ cybersecurity were substantially modified:
- Definition of “third-party service provider” is now narrower from those doing business to mean “a person that: 1) is not an affiliate or the covered entity; 2) provides services to the covered entity; and 3) maintains, processes or otherwise is permitted access to nonpublic information through its provisions of services to the covered entity.”
- The requirement for a covered entity’s policies and procedures relating to third-party service providers was revised to now just require that the policies and procedures include “relevant guidelines for due diligence and/or contractual protections relating to third-party service providers.”
- Other requirements were removed, including the requirement that the policies and procedures establish preferred provisions addressing the right of the covered entity to perform cybersecurity audits of the third-party service provider.
Chief Information Security Officer (CISO)
A designated CISO is no longer required, so long as a qualified individual is in place to oversee and implement the covered entity’s cybersecurity program and enforce its cybersecurity policy.
Notices and Reporting
The reporting and notice requirements were revised as follows:
Board Reports – The CISO’s report to the board of directors must now be in writing and delivered annually instead of biannually. Also, the report no longer needs to propose remedial steps for inadequacies identified in a covered entity’s cybersecurity program.
Note: One unclear point is whether the report still needs to be made available to the Superintendent upon request. The revised proposal no longer contains this language. However, under § 500.02(d) there is a requirement that “all documentation and information relevant to [a] covered entity’s cybersecurity program shall be made available to the superintendent upon request”).
Notice to DFS Superintendent
Notice for any cybersecurity event that involves the actual or potential unauthorized tampering with, or access to or use of, nonpublic information is no longer required. Rather, now a covered entity must notify the DFS Superintendent within 72 hours if the cybersecurity event has a reasonable likelihood of materially harming any material part of the normal operations of the covered entity.
Encryption of Nonpublic Information
Nonpublic information no longer must be encrypted if the covered entity relies on other compensating controls and if encryption is not possible.
Note: While the deadlines for using compensating controls were removed, a review must be done at least annually to assess the feasibility of encryption and effectiveness of the compensating controls.
A confidentiality section was added to provide that information covered entities provide under the regulation will be subject to exemptions from certain disclosure laws.
The DFS modified its limited exemption for small covered entities and added other exemptions:
- Small Covered Entity Exemption – This exemption previously required a covered entity to have fewer than 1,000 customers in each of the last three calendar years, but now requires a covered entity to have fewer than 10 employees, including any independent contractors. These entities are exempt from the following requirements: CISO, penetration testing and assessments, audit trail, application security, cybersecurity personnel and intelligence, multi-factor authentication, training and monitoring, encryption of nonpublic information and incident response plan.
- Limited Exemption – This exemption was added for a covered entity that “does not directly or indirectly operate, maintain, utilize or control any information systems and that does not directly or indirectly control, generate, receive or possess nonpublic information. These entities are exempt from the following requirements: cybersecurity program, cybersecurity policy, CISO, penetration testing and vulnerability assessments, audit trail, access privileges, application security, cybersecurity personnel and intelligence, multi-factor authentication, training and monitoring, encryption of nonpublic information and incident response plan.
- Full Exemption – This exemption was added for an employee, agent or affiliate of a covered entity, which is itself a covered entity to the extent that such employee, agent or affiliate is covered by the cybersecurity program of the covered entity. Note, however, that the revised regulation also requires an exempt covered entity to file a notice of exemption with the DFS.
The summary of the regulation has been revised to reflect the updated proposal (click here).
Note: This information was prepared by Patty P. Tehrani, Lawyer and Founder of Policy Patty Toolkit, a consulting business that helps organizations develop, assess or enhance their governance, compliance and risk management programs, policies, controls and processes. The Policy Patty Toolkit provides general information only that does not constitute legal advic