Several of the new requirements of the New York State Department of Financial Services (DFS) Cybersecurity Regulation are now operative for firms and individuals engaged in financial services (including insurance companies and producers, banks and others) licensed by the DFS (Covered Entities). Covered Entities should now be working on the regulation’s remaining and ongoing requirements. The next transition date, September 3, 2018, requires the compliance with five of the regulation’s requirements and the final transition date is March 1, 2019. While Covered Entities are focused on meeting these deadlines, the regulation also contains several ongoing requirements that demand continued attention.
Satisfying the September 3, 2018 Transition Date
In addition to the requirements that were phased in by the first two transition dates of August 28, 2017 and March 1, 2018, by September 3, 2018, Covered Entities must have policies and procedures in place for the secure disposal of certain Nonpublic Information no longer necessary to be retained for business operations or other business purposes. In addition, Covered Entities that are not subject to one of the limited exemptions described in our previous article must satisfy the following requirements:
- Audit Trail requirements, based on the Risk Assessment, including the maintenance of systems designed to reconstruct material financial transactions, and to detect and respond to certain Cybersecurity Events. Records related to material financial transactions and certain Cybersecurity Events must be maintained for five years and three years, respectively.
- Application Security requirements for written procedures, guidelines and standards for secure development, evaluation, assessment and testing of applications.
- Training and Monitoring, based on the Risk Assessment, procedures and controls for monitoring activities of authorized users, and detecting unauthorized access, use or tampering; and regular cybersecurity awareness training for all personnel.
- Encryption of nonpublic information, based on the Risk Assessment, controls, including encryption to protect nonpublic information, both in transit and at rest, unless infeasible, in which case, effective alternative compensating controls approved and annually reviewed by the CISO.
These requirements, together with the provisions that had earlier transition dates, must be satisfied in order to put the Covered Entity in a position to file the next required compliance certificate, due February 15, 2019.
The Final Transition Date
The last remaining transition date of March 1, 2019 will require compliance with the regulation’s third party service provider requirements. These requirements will, for many Covered Entities, require a great deal of work and attention, as they affect the relationship between each Covered Entity and any third party that touches its Nonpublic Information or its Information Systems. It is important to note that these terms are defined in the regulation much more broadly than most Covered Entities have been thinking about them, and will involve more third party service providers than have typically been considered in vendor management programs.
Ongoing Requirements
In addition to meeting the provisions of the regulation with upcoming transition dates, Covered Entities must continue to observe the regulation’s periodic and ongoing requirements, including those identified below. Note that many of these ongoing requirements do not apply to partially exempt Covered Entities, as indicated by asterisk.
- Access privileges to Information Systems must be periodically reviewed.
- Risk Assessments of Information Systems must be conducted periodically.
- Cybersecurity Events must be evaluated on an ongoing basis to comply with applicable notification requirements.
- Annual compliance certifications are required to be submitted to the Superintendent by February 15.
- Exemptions must be monitored, as exemption notifications must be updated if new exemptions apply, and the regulation requires full compliance within 180 days of the end of a fiscal year end if the Covered Entity ceases to qualify.
- Third Party Service Providers with access to Information Systems and Nonpublic Information must be vetted and contracted, and periodically assessed, in accordance with policies and procedures for addressing cybersecurity risks.
- Limitations on Data Retention must be continually applied to securely eliminate certain Nonpublic Information that is no longer necessary for business purposes, unless otherwise required to be maintained for certain purposes.
- Cybersecurity personnel are required to receive updates on relevant cybersecurity risks, and must maintain current knowledge of changing cybersecurity threats and countermeasures.*
- Application Security safeguards are to be periodically reviewed, assessed and updated.*
- CISO’s ongoing responsibility for overseeing and implementing the cybersecurity program and enforcing the cybersecurity policy.*
- CISO’s annual requirement to report to the board of directors on the cybersecurity program and cybersecurity risks.*
- Monitoring and testing on an ongoing basis to assess the effectiveness of the Cybersecurity Program, using either continuous monitoring, or periodic penetration testing and vulnerability assessments.*
- Audit trail requirements for the ongoing maintenance of systems to be able to reconstruct certain material financial transactions, and to detect and respond to certain Cybersecurity Events, including the maintenance of certain financial records for at least five years, and information related to certain Cybersecurity Events for at least three years.*
- Monitoring of the activities of Authorized Users must be conducted on an ongoing basis, including detection of unauthorized access to or misuse of Nonpublic Information.*
- Cybersecurity Awareness Training is required to be provided for all personnel, and updated regularly.*
- Encryption technology, or compensating controls to protect data in motion and data at rest may require ongoing attention, including training and monitoring, depending on the particular safeguards deployed.*
Generally, it is important for Covered Entities to build in periodic review, reassessment, and refreshing of their Cybersecurity Program and Cybersecurity Policies to keep up with regulatory developments; evolution in the threat landscape; developments in business needs, operation and personnel; progress in security techniques and technologies; and results of the periodic Risk Assessment.