No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Cybersecurity

NY Revises Its Cybersecurity Rule Proposal

by Patty Tehrani
January 19, 2017
in Cybersecurity, Data Privacy, Featured
hooded figure looking at tablet

Reviewing Key Changes

The New York State Department of Financial Services (“DFS”) has revised its proposed cybersecurity rule in response to concerns submitted to its original proposal issued last September.  Patty Tehrani, lawyer and founder of Policy Patty Toolkit, outlines the changes, including to exemption sections, board reporting and notice requirements.

By: Patty Tehrani

An update to my article regarding the New York Department of Financial Services (DFS) proposed cybersecurity regulation (officially known as “23 NYCRR 500”).

Last month, the DFS revised its proposal in response to various comments to make some requirements easier while providing clarification on others (click to read the press release and revised regulation).  The notice and public comment period for the revised rule ends on January 27, 2017, and finalization is expected shortly after the end of the comment period.

Here is a summary of key changes:

Effective Date

The proposed effective date is extended for two months – now March 1, 2017 rather than January 1, 2017. Covered entities have 180 days from the new effective date to comply, although the regulation allows additional time to comply with certain requirements, such as:

  • One year – requirements for reporting, penetration testing, risk assessments and vulnerability assessments;
  • 18 months – requirements involving audit trail, data retention and encryption; and
  • Two years – requirements for the third-party service provider security.

Cybersecurity Policy

The original proposed regulation required a covered entity’s cybersecurity policy to address a list of 14 requirements. Now the policy can be based on the covered entity’s risk assessment and only needs to include the requirements to the extent they apply to the covered entity’s operations.

Cybersecurity Program

A covered entity must maintain a cybersecurity program based on its risk assessment. It can now comply with this requirement by adopting a cybersecurity program maintained by an affiliate, so long as the program covers the covered entity’s information systems and nonpublic information and complies with the proposal.

Audit Trail

A covered entity was expected to maintain an audit trail system with six specific requirements for tracking and maintaining data. This has been revised to require the specified elements of the audit trail system based on the results of the risk assessment. Also, the six specific requirements for tracking and maintaining data were replaced with just the three elements noted below and qualified by materiality:

  • The system is designed to reconstruct material financial transaction sufficient to support normal operations and obligations.
  • The system must include audit trails designed to detect and respond to cybersecurity events that have a reasonable likelihood of materially harming any material part of normal operations.
  • A record maintenance requirement for at least five years.

Third-Party Service Provider Security Policy

The requirements imposed on covered entities about third-party service providers’ cybersecurity were substantially modified:

  • Definition of “third-party service provider” is now narrower from those doing business to mean “a person that: 1) is not an affiliate or the covered entity; 2) provides services to the covered entity; and 3) maintains, processes or otherwise is permitted access to nonpublic information through its provisions of services to the covered entity.”
  • The requirement for a covered entity’s policies and procedures relating to third-party service providers was revised to now just require that the policies and procedures include “relevant guidelines for due diligence and/or contractual protections relating to third-party service providers.”
  • Other requirements were removed, including the requirement that the policies and procedures establish preferred provisions addressing the right of the covered entity to perform cybersecurity audits of the third-party service provider.

Chief Information Security Officer (CISO)

A designated CISO is no longer required, so long as a qualified individual is in place to oversee and implement the covered entity’s cybersecurity program and enforce its cybersecurity policy.

Notices and Reporting

The reporting and notice requirements were revised as follows:

Board Reports – The CISO’s report to the board of directors must now be in writing and delivered annually instead of biannually. Also, the report no longer needs to propose remedial steps for inadequacies identified in a covered entity’s cybersecurity program.

Note: One unclear point is whether the report still needs to be made available to the Superintendent upon request. The revised proposal no longer contains this language. However, under § 500.02(d) there is a requirement that “all documentation and information relevant to [a] covered entity’s cybersecurity program shall be made available to the superintendent upon request”).

Notice to DFS Superintendent

Notice for any cybersecurity event that involves the actual or potential unauthorized tampering with, or access to or use of, nonpublic information is no longer required. Rather, now a covered entity must notify the DFS Superintendent within 72 hours if the cybersecurity event has a reasonable likelihood of materially harming any material part of the normal operations of the covered entity.

Encryption of Nonpublic Information

Nonpublic information no longer must be encrypted if the covered entity relies on other compensating controls and if encryption is not possible.

Note: While the deadlines for using compensating controls were removed, a review must be done at least annually to assess the feasibility of encryption and effectiveness of the compensating controls.

Confidentiality

A confidentiality section was added to provide that information covered entities provide under the regulation will be subject to exemptions from certain disclosure laws.

Exemptions

The DFS modified its limited exemption for small covered entities and added other exemptions:

  • Small Covered Entity Exemption – This exemption previously required a covered entity to have fewer than 1,000 customers in each of the last three calendar years, but now requires a covered entity to have fewer than 10 employees, including any independent contractors. These entities are exempt from the following requirements: CISO, penetration testing and assessments, audit trail, application security, cybersecurity personnel and intelligence, multi-factor authentication, training and monitoring, encryption of nonpublic information and incident response plan.
  • Limited Exemption – This exemption was added for a covered entity that “does not directly or indirectly operate, maintain, utilize or control any information systems and that does not directly or indirectly control, generate, receive or possess nonpublic information. These entities are exempt from the following requirements: cybersecurity program, cybersecurity policy, CISO, penetration testing and vulnerability assessments, audit trail, access privileges, application security, cybersecurity personnel and intelligence, multi-factor authentication, training and monitoring, encryption of nonpublic information and incident response plan.
  • Full Exemption – This exemption was added for an employee, agent or affiliate of a covered entity, which is itself a covered entity to the extent that such employee, agent or affiliate is covered by the cybersecurity program of the covered entity. Note, however, that the revised regulation also requires an exempt covered entity to file a notice of exemption with the DFS.

The summary of the regulation has been revised to reflect the updated proposal (click here).

Note: This information was prepared by Patty P. Tehrani, Lawyer and Founder of Policy Patty Toolkit, a consulting business that helps organizations develop, assess or enhance their governance, compliance and risk management programs, policies, controls and processes. The Policy Patty Toolkit provides general information only that does not constitute legal advic


Previous Post

iWorkGlobal Unleashes the Power of the Global Workforce in Merger with Nelson Compliance

Next Post

The Asia-Pacific Top 10 FCPA Enforcement Actions of 2016

Patty Tehrani

Patty Tehrani

Patty P. Tehrani is an experienced compliance counsel and advisor and the founder of the Policy Patty Toolkit (www.policypatty.com). Patty has expansive knowledge and expertise on policy development as well as governance and risk management programs, processes and controls. You can follow her on LinkedIn or contact her via patty@policypatty.com.

Related Posts

Fox_DOJ Speeches_f

Analysis of Recent DOJ Statements

by Corporate Compliance Insights
March 23, 2023

DOJ leaders provide insight into agency's plans. Analysis of Recent Statements DOJ Shaping the Future of Corporate Criminal Enforcement What’s...

Fox_2023 ECCP Update_f

2023 Evaluation of Corporate Compliance Programs

by Corporate Compliance Insights
March 23, 2023

Keeping up with 2023 changes to DOJ guidelines. Additions, Deletions & Changes From 2020 2023 Evaluation of Corporate Compliance Programs...

encompass update

Encompass Launches pKYC Maturity Model

by Corporate Compliance Insights
March 22, 2023

KYC automation platform Encompass has unveiled a new perpetual Know Your Customer (pKYC) maturity model designed to help banks improve...

consilio onna partnership

Consilio, Onna Seek to Streamline eDiscovery for Cloud Apps

by Corporate Compliance Insights
March 22, 2023

Legal technology provider Consilio has launched a new platform, Sightline Collect, powered by data management supplier Onna. The platform is...

Next Post
roll of bills beside handcuffs

The Asia-Pacific Top 10 FCPA Enforcement Actions of 2016

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT