InfoBytes Blog

NYDFS Launches New Cybersecurity Portal, Sets Compliance Deadlines

On July 31, the New York Department of Financial Services (NYDFS) announced the launch of an online cybersecurity portal for businesses to securely report cybersecurity events as required by the state’s cybersecurity regulation that took effect March 1. (See previous InfoBytes summary here.) The regulation, Cybersecurity Requirements for Financial Services Companies, requires all banks, insurance companies, and other financial services institutions regulated by NYDFS to establish and maintain cybersecurity programs to safeguard consumers’ private data. The cyber portal is designed to facilitate easy reporting of cybersecurity events and will allow regulated entities to file compliance certifications. Starting August 28, 2017, all entities required to comply with NYDFS cybersecurity regulations “must file certain notifications to the [Financial Services] Superintendent including notices of certain cybersecurity events within 72 hours from a determination that a reportable event has occurred.” A cybersecurity event is reportable if it: (i) “impacts the covered entity and notice of it is required to be provided to any government body, self-regulatory agency or any other supervisory body”; or (ii) “has a reasonable likelihood of materially harming any material part of the normal operation(s) of the covered entity.” Additionally, covered entities are required to file a certificate of compliance confirming compliance for the previous calendar year no later than February 15, 2018.

Privacy/Cyber Risk & Data Security NYDFS State Issues Bank Regulatory Compliance 23 NYCRR Part 500

NYDFS Landmark Cybersecurity Rule Set to Take Effect on March 1

On February 16, New York Governor Andrew Cuomo announced that with the New York Department of Financial Services’ (NYDFS) publication of a Final Regulation, New York’s “First-in-the-Nation Cybersecurity Regulation” is set to take effect on March 1.  As discussed previously in InfoBytes, the regulation—which requires banks, insurance companies, and other financial services institutions regulated by NYDFS to establish and maintain a cybersecurity program designed to protect consumers’ private data—imposes broad and, in some cases proscriptive, data security and cybersecurity requirements on Covered Entities that venture into new territory for both state and federal financial regulators. Indeed, as described by Governor Cuomo, the regulation reflects New York’s efforts to “lead[] the nation” through “decisive action to protect consumers and our financial system from serious economic harm that is often perpetrated by state-sponsored organizations, global terrorist networks, and other criminal enterprises.”  

Moreover, as detailed in a follow-up InfoBytes Special Alert, NYDFS issued a updated proposed regulation on December 28 in response to over 150 comments and testimony presented at a hearing before New York State lawmakers. Though the updated proposed regulation did not differ drastically from the original, the revised proposed regulation provided for somewhat greater flexibility in how covered entities could go about implementing the requirements. Among other things, the December 28 revisions provided for: (i) longer timeframes for compliance with its requirements; (ii) more flexibility for compliance with certain requirements and acknowledgement that some requirements may not be applicable to all financial institutions; and (iii) clarifications to certain key definitions.

The newly released Final Regulation retains the revisions incorporated in the December 28 revision, but also contains the following notable revisions:

• Record retention requirements for audit trail materials relating to Cybersecurity Events were reduced from five years to three years.
• Clarification that Covered Entities’ policies and procedures for reporting by Third Party Service Providers of Cybersecurity Events only apply to the Covered Entity’s Nonpublic Information.
• The limited exemption for small businesses to certain requirements of the rule has been narrowed by including a Covered Entity’s New York affiliates when calculating its number of employees and annual revenue.
• Further clarification on the exemptions for companies regulated under New York’s Insurance Law.

With the expiration of the 30-day comment period and the publication of the Final Rule, New York’s Cybersecurity regulation is officially cleared to become effective upon publication in the New York State Register on March 1.

InfoBytes will continue to monitor the rollout of this pioneering regulation as it progresses.

State Issues Agency Rule-Making & Guidance Bank Regulatory NYDFS Privacy/Cyber Risk & Data Security Vendor Management 23 NYCRR Part 500

Special Alert: Revised NYDFS Cybersecurity Rule

On December 28, 2016, the New York Department of Financial Services (DFS) issued a revised version (Revised Proposed Rule) of its cybersecurity rule for financial institutions issued on September 13, 2016 (Proposed Rule). The revision came after DFS received more than 150 comments in response to the Proposed Rule, as well as a hearing before New York State lawmakers. The Revised Proposed Rule retains the spirit of the original Proposed Rule, but offers covered entities somewhat more flexibility in implementing the requirements.

Background

The Proposed Rule marked the next step in a period of increased focus on cybersecurity by the agency. Between May 2014 and April 2015, DFS issued three reports relating to cybersecurity in the financial and insurance industries. In November 2015, DFS issued a letter to federal financial services regulatory agencies, which alerted the federal regulators to DFS’s proposed regulatory framework and invited comment from the regulators.

In the September release, DFS explained that the Proposed Rule is a response to the “ever-growing threat posed to information and financial systems by nation-states, terrorist organizations, and independent criminal actors.” As originally written, the Proposed Rule covered financial institutions operating under a charter or license issued by DFS, and set cybersecurity program, policy, training, and reporting requirements that are more stringent than the current federal requirements. The Proposed Rule gave a January 1, 2017 effective date, with a 180-day transitional period. Taking into consideration these concerns, on December 19, 2016, the New York State Assembly’s Standing Committee on Banks held a public hearing regarding cybersecurity and the Proposed Rule. Among the chief concerns expressed at the hearing and in the comment letters was the cost of compliance, especially for smaller banks, and that the Proposed Rule’s “one-size-fits-all” requirements do not consider the varying operational structures, business models, and risk profiles of financial institutions. There was also concern that the Proposed Rule was too different from the current federal requirements.

Click here to read full special alert

* * *

We will continue to monitor the DFS rulemaking process. If you have questions about the Revised Rule or other cybersecurity issues, visit our Privacy, Cyber Risk & Data Security practice for more information, or contact a Buckley Sandler attorney with whom you have worked in the past.

Privacy/Cyber Risk & Data Security NYDFS State Issues Special Alerts 23 NYCRR Part 500

NYDFS to Revise Proposed Cybersecurity Regulation Following Public Hearing Before State Lawmakers

On December 19, the New York Assembly Standing Committee on Banks held a public hearing, receiving testimony about a recently proposed regulation intended to address cybersecurity risks to entities regulated by the New York Department of Financial Services (NYDFS). Previously covered by InfoBytes upon its initial release in September 2016, the proposed regulation has since been subject to a public comment period before final issuance.

The hearing before the NY State Assembly provided an opportunity for representatives from a variety of NYDFS-regulated entities to offer testimony and/or raise objections. Many of the witnesses cited the proposal’s “one-size-fits-all” approach as a source of concern, noting that the proposed regulation currently does not account for variations in the business models, IT system structures, or risk profiles of the institutions they affect. Other concerns raised by the witnesses included onerous reporting requirements, a lack of harmony between the proposal and federal regulations and guidance, high costs of compliance, and even reputational risk arising out of exposure through FOIA Laws. An archived video of the hearing can be accessed here.

Two days after the hearing in Albany, NYDFS indicated that it is now planning to release an updated version of the regulation on December 28—thereby pushing the effective date to March 1, 2017.  InfoBytes will continue to monitor the status of the proposed regulation and will issue an update once NYDFS publishes its revised regulation.

Banking State Issues NYDFS Privacy/Cyber Risk & Data Security 23 NYCRR Part 500

Special Alert: NYDFS Stakes Claim on Cybersecurity Regulation

On September 13, the New York Department of Financial Services (DFS) issued a proposed rule establishing cybersecurity requirements for financial services companies, and has thus ventured into new territory for state regulators. In the words of Governor Cuomo, “New York, the financial capital of the world, is leading the nation in taking decisive action to protect consumers and our financial system from serious economic harm that is often perpetrated by state-sponsored organizations, global terrorist networks, and other criminal enterprises."

Given the concentrated position of financial service companies in New York and the regulation’s definition of a Covered Entity – which includes “any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the banking law, the insurance law or the financial services law” – it could create an almost de facto national standard for medium to large financial services companies, regardless of where they keep their servers or suffer a cyberattack. This type of state-level regulation is not unprecedented. In 2003, California passed a data breach notification law that requires companies doing business in California to notify California residents of the breach and more recently amended the law to require 12 months of identity protection and strengthen data security requirements. In 2009, Massachusetts enacted a regulation mandating businesses implement security controls to protect personal information relating to state residents.

The DFS designed the regulation to protect both consumers and the financial industry by establishing minimum cybersecurity standards and processes, while allowing for innovative and flexible compliance strategies by each regulated entity. Yet the proposed regulation goes further than to just ask financial entities to conduct a risk assessment and to design measures to address the identified risks.

Click here to view the full Special Alert.

* * *

Questions regarding the matters discussed in this Alert may be directed to any of our lawyers listed below, or to any other BuckleySandler attorney with whom you have consulted in the past.

• John P. Kromer, (202) 349-8040
• Elizabeth E. McGinn, (202) 349-7968

NYDFS Privacy/Cyber Risk & Data Security 23 NYCRR Part 500 State Issues

New York DFS Submits Letter to Federal Regulators Regarding Potential Cybersecurity Regulations

On November 9, the New York DFS sent a letter to federal regulators and other interested parties, including the CFPB, Federal Reserve Board, and the OCC, regarding potential new regulations aimed at increasing cybersecurity efforts within the financial sector. The letter references recent DFS reports that covered key findings from surveys given to regulated banking organizations on their cybersecurity programs, costs, and future plans. The reports raised the following concerns: (i) the speed of technological change and the increasingly sophisticated nature of threats; (ii) third-party service providers tend to have access to sensitive information and companies’ IT systems, providing potential hackers with a point of entry; and (iii) the “scale and breadth of the most recent breaches and incidents.” In light of these concerns, the DFS asserts that it would be beneficial to coordinate with state and federal regulators to “develop a comprehensive [cybersecurity] framework that addresses the most critical issues, while still preserving the flexibility to address New York-specific concerns.” According to the letter, the DFS expects to propose regulations requiring entities to set specific requirements in areas such as: (i) cybersecurity policies and procedures; (ii) third-party service provider management; (iii) cybersecurity personnel and intelligence, including implementing mandatory cybersecurity training programs; and (iv) notice of cybersecurity breaches.

Bank Supervision Privacy/Cyber Risk & Data Security NYDFS 23 NYCRR Part 500