Earlier this year, the New York State Department of Financial Services laid out new cybersecurity requirements for financial services companies.
These rules (codified in 23 NYCRR 500) took effect on March 1 and established an array of “regulatory minimum standards” that companies must now meet. When all is said and done, financial services companies will be required to annually certify compliance and report cybersecurity events directly to the department, appoint a chief information security officer (CISO), conduct periodic risk assessments, create and periodically review an incident response plan and maintain audit trails for set periods (5 years for financial transactions for example).
NYDFS set a series of rolling deadlines for companies to become compliant with these new standards. The first of these deadlines, Aug. 28, is imminent.
Recently, law firm Baker Hostetler presented a comprehensive webinar breaking down what’s required of at each step. Here’s a quick rundown of what companies need to know.
Who Has to Comply?
The new regulations affect any organization operating under or required to “operate under DFS licensure, registration or charter, or which are otherwise DFS-regulated, as well as, by extension, unregulated third-party service providers to regulated entities.” These include NYDFS licensees and their affiliates (trust companies, mortgage companies, insurance companies, etc.), New York branch offices, business partners and counterparties.
Charitable annuity societies, non-NY risk retention groups and reinsurers are exempt, as are companies with fewer than 10 employees, less than $5 million in gross annual revenue for three years or less than $10 million in year-end total assets. Companies with limited operations in New York, captive insurance companies and any company that doesn’t use information systems or access nonpublic information (NPI) will receive lesser exemptions.
August 28 Deadline
By this date, independent of any current measures in place, financial service companies must:
- Designate a CISO;
- Ensure that qualified cybersecurity personnel are in place;
- Establish a written incident response plan and cybersecurity policy that must be approved by a senior officer;
- Begin using defensive infrastructure and limiting access to NPI; and
- Start reporting cybersecurity events to NYDFS.
With only a handful of weeks before this deadline, there isn’t a great deal of time left for companies to meet these goals if they haven’t started putting them into motion. So, perhaps projecting out to what will be required at the next deadline, March 1, 2018, will be more helpful.
March 1, 2018 Deadline
By this date financial services companies must:
- Conduct a thorough risk assessment and have the CISO report directly to the board;
- Have employees undergo specific training;
- Begin using multi-factor authentication; and
- Start conducting continuous monitoring or annual penetration testing and bi-annual vulnerability assessments.
Of these requirements, the risk assessment deserves specific attention. Since it’s a keystone element of several of the other requirements that must be met during this period, its individual deadline is effectively much earlier than March 1. It will, after all, be difficult to begin establishing cybersecurity based on a risk assessment before actually performing one. And all of these things take time.
Beyond these individual steps, Melinda McLellan, partner at BakerHostetler, stressed the need for the CISO to have broad access to company records. “They will need to know exactly what the company has done so they can properly certify,” she said.
Indeed, there are potential reporting difficulties that could lie ahead and companies need to “show-don’t tell” regulators they are in compliance. A cybersecurity program can’t just exist in the CISO’s head, it has to be memorialized somehow.
According to BakerHostetler Partner Craig Hoffman, companies need to consider, “How are we going to prove compliance beyond just letting agencies interview our people?”