Proposed Changes to New York Cybersecurity Regulations Could Affect Financial Institutions
The New York State Department of Financial Services (NYDFS) last week issued an updated draft of its cybersecurity regulations after considering submitted comments, issues, and concerns regarding its initial proposal. Financial institutions should be aware of any modifications to ensure they are up-to-date on the requirements.
The updated regulations appear to be more practical and are more clearly risk-based than the original version proposed in September 2016. Many of its requirements are now linked to each covered entity’s risk assessment, which must be conducted and updated “periodically.”
The regulations — which take effect March 1, 2017, following a second 30-day notice and public comment period — apply to banking, insurance, and other financial services organizations that fall under the purview of the NYDFS. The regulations have been modified in the following additional key areas:
- The definition of “nonpublic information,” which is subject to the regulation, has been revised to make it narrower and closer to the more common definitions of “personal information.”
- Many requirements received extended compliance timelines, ranging from 12 to 24 months compared to the default of six months.
- Covered entities can comply through an affiliate; therefore a group of companies need not have multiple programs.
- Covered entities are no longer required to identify nonpublic information stored in their systems.
- The requirement to have an annual review of the cybersecurity policy by the board of directors of the covered entity has been removed.
- Multifactor authentication and encryption of data in transit and at rest are no longer mandatory and are dependent on the risk assessment and the existence of compensating controls.
- The requirement to conduct quarterly penetration testing has been relaxed to allow for periodic and continuous reviewing, monitoring, and testing.
- The requirements for third-party service providers (TPSP) have been softened to allow more flexibility in contract negotiation with TPSPs.
- Incident response plans must only address events “materially” affecting information systems or the continuing functionality of a financial institution’s business or operations, as opposed to any event; similar changes were made to the duty to report “cybersecurity events” to the superintendent.
- A new confidentiality provision protects covered entities with respect to the information provided in its required annual certification to the New York superintendent of insurance.
- The exemptions provision has been expanded and also requires that a covered entity that qualifies for an exemption file a notice of exemption.
Pending the public comment period, there may be more changes coming to the regulation. Financial institutions operating in New York should review the updated proposed regulation against existing policies and procedures to ensure compliance and mitigate against potential fines or penalties. Work with your insurance advisors to understand how insurance — including cyber liability — can help you mitigate and transfer these risks.