Despite the panoply of cybersecurity and data security breach laws currently in place at both the federal and state level, the unprecedented action of one New York state agency is poised to change the regulatory landscape relating to cybersecurity nationwide. The New York State Department of Financial Services (DFS), which is responsible for overseeing and regulating entities licensed, registered or authorized under the New York Banking Law, Insurance Law or Financial Services Law, has released the final version of cybersecurity regulations ostensibly aimed at entities subject to DFS regulation which went into effect on March 1, 2017 and have appropriately been hailed as “first-in-the-nation.” While the knee-jerk reaction – undoubtedly born from years of over-the-top warnings about impending doom from cyber threats – is to glaze over and let your IT Department worry about implementing appropriate measures, the NY Regulations cannot be ignored: not necessarily because of their draconian requirements (of which there are some), but because they have the potential to usher in a new wave of national compliance that will be confusing, complicated and costly no matter the size of your business or whether you are, in fact, located in New York.
New York rightly views itself as the steward of the financial services industry and, by putting forth the NY Regulations, has picked up the gauntlet in an effort to establish “certain regulatory minimum standards.”¹ Indeed, when announcing the NY Regulations, Governor Cuomo stated that, "New York is the financial capital of the world, and it is critical that we do everything in our power to protect consumers and our financial system from the ever increasing threat of cyber-attacks. These strong, first-in-the-nation protections will help ensure this industry has the necessary safeguards in place in order to protect themselves and the New Yorkers they serve from the serious economic harm caused by these devastating cyber-crimes."² Given the comprehensive nature of the NY Regulations and New York’s prominent role in the financial services industry, the NY Regulations will unquestionably prompt other states to enact similar regulatory standards.
While the banking, insurance and financial services industries are already subject to heavy cybersecurity regulation under federal and state laws, the NY Regulations broaden the cybersecurity requirements upon those entities subject to the oversight of the DFS (Covered Entities) by, among other things, mandating that they conduct risk assessments of their systems, establish cybersecurity programs to respond to attempted or actual unauthorized access to information systems and annually certify compliance with the NY Regulations. However, the NY Regulations extend well beyond Covered Entities, expanding the reach to entities not regulated by the DFS at all, but which are affiliated with or provide services to Covered Entities. In this regard, the impact of the NY Regulations is not limited to banks but will undoubtedly be felt by specialty lenders, service providers and other players involved in the commercial finance and asset-based lending industry. Accordingly, all of the players in our industry need to understand what may be required under the NY Regulations by virtue of contracting with or servicing a Covered Entity and begin assessing next steps and implementing policies due to the compressed time-frame imposed under the NY Regulations.
Not surprisingly, the NY Regulations received hundreds of comments and significant criticism from those affected, which prompted the DFS to make revisions to the originally proposed regulations. While the final revised NY Regulations provide some relief from the stringent requirements contained in the original proposal, they remain broad in their application and extensive in their mandates. Therefore, it is crucial to understand who the NY Regulations apply to and what is required to ensure compliance in accordance with the implementation timeframes.
Who do the NY Regulations apply to?
On their face, the NY Regulations apply to "Covered Entities," which is defined as "any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law." Given the broad definition of Covered Entities, it remains to be seen whether out-of-state chartered banks operating branches in New York pursuant to an application process will be subject to the Regulations. To assist in determining who is subject to oversight by the DFS, the DFS website has a public database that is searchable by the entity name, but which may not necessarily be inclusive of the breadth of Covered Entities subject to the Regulations.³ The only exemption to compliance is for a Covered Entity that: (i) employs fewer than ten employees (including independent contractors) in New York or (ii) has less than $5 million in gross annual revenue in each of the last three fiscal years from New York business operations or (iii) has less than $10 million in year-end total assets.
Whether or not you are a Covered Entity does not end the inquiry. The NY Regulations extend the reach of certain provisions by requiring that Covered Entities ensure that “Affiliates” and “Third Party Service Providers” comply with minimum cybersecurity practices. This means that any Person controlled by a Covered Entity or any Person that provides services to the Covered Entity and maintains or has access to “Nonpublic Information” will likely be subject to many of the mandates of the NY Regulations. “Nonpublic Information” is unique to the NY Regulations and generally includes any personal information of an individual (name, number etc.) that can be used to identify him or her in combination with a social security number, driver’s license/non-driver identification card number, account or credit card number, security or access code or password permitting access to such individuals’ financial records or biometric records.
The range of companies and services subject to the NY Regulations is thus extensive. For example, any specialty lender or service provider that gathers an individual’s personal information on behalf of a Covered Entity would be subject to the minimum cybersecurity requirements established by the Covered Entity (discussed further below) even if the specialty lender or service provider is located in California and not otherwise required to be licensed under New York’s Banking, Insurance, or Financial Services Laws.
What do the NY Regulations require?
A key aspect of the NY Regulations is the recognition by the DFS that Covered Entities’ risk profiles are not “one size fits all.” As such, a Covered Entity is required to undertake a periodic Risk Assessment of its information systems to identify controls necessary to protect the Covered Entity’s business, Nonpublic Information and information systems. Based upon the Risk Assessment, the Covered Entity must implement a cybersecurity program that is designed to protect the confidentiality and availability of the information system and establish and implement a written cybersecurity policy that sets forth the policies and procedures for protecting Nonpublic Information. This individualized approach is meant to afford the Covered Entity some flexibility in tailoring a program to its specific needs. Nonetheless, Covered Entities must still meet stringent reporting requirements (including annual certification that they are complying with the NY Regulations), designate personnel to oversee and enforce the cybersecurity program and conduct continuous monitoring and testing.
The cybersecurity program must identify and assess cybersecurity risks, and detect, respond to, and recover from “Cybersecurity Events,” which include attempted as well as actual unauthorized access to information systems. In an effort to lessen the burden on Covered Entities in establishing a cybersecurity program, the NY Regulations allow Covered Entities to satisfy the cybersecurity program requirements by adopting a cybersecurity program maintained by an Affiliate, provided that the Affiliate’s cybersecurity program meets the NY Regulation’s requirements.
The cybersecurity policy must set forth the Covered Entity’s policies and procedures for the protection of its Information Systems and Nonpublic Information and must be approved by a designated “Senior Officer” of the Covered Entity, who is responsible for the management, operations, security, information systems, compliance and/or risk of a Covered Entity. Significantly, the Senior Officer or the Chairperson of the Board of Directors of the Covered Entity must certify compliance annually with the DFS, thereby creating a new target within the organization for liability (or at least to individually name in a lawsuit) whenever there is an alleged data breach.
Each Covered Entity must designate an individual known as the Chief Information Security Officer (CISO) responsible for overseeing and implementing the Covered Entity’s cybersecurity program, enforcing the cybersecurity policy, and annually reporting to the Covered Entity’s board of directors regarding the Covered Entity’s cybersecurity program and cybersecurity risks. The CISO may be employed by the Covered Entity or by one of the Covered Entity’s Affiliates or Third Party Service Providers but, to the extent the CISO is an Affiliate or Third Party Service Provider, the Covered Entity retains responsibility for compliance with the NY Regulations and must designate a senior member of the Covered Entity to oversee the Third Party Service Provider.
Covered Entities must also implement written policies and procedures for Third Party Service Providers that comply with the Covered Entity’s Risk Assessment to ensure the security of Nonpublic Information held by or accessible to Third Party Service Providers. The Covered Entity must specify the “minimum cybersecurity practices” required to be met by the Third Party Service Providers, ensure the Third Party Service Providers’ use of multi-factor authentication and/or encryption (as needed) to limit access to Nonpublic Information, and require notice to be provided to the Covered Entity in the event of a Cybersecurity Event. The NY Regulations envision that these requirements will be imposed on the Third Party Service Providers via guidelines for due diligence and/or contractual provisions.
Depending upon the cybersecurity policies and technologies already employed by a Covered Entity, compliance may be difficult and expensive, not to mention complicated, given that the NY Regulations apply to Third Party Service Providers and Affiliates of the Covered Entity and may conflict with, or impose additional requirements to, other state or federal laws. By way of example, a Third Party Service Provider may not have the technology or personnel in place to rapidly monitor and detect a Cybersecurity Event (let alone one that was unsuccessful), but may nevertheless be contractually obligated to report such an event within 72 hours to the Covered Entity so the Covered Entity can, in turn, satisfy its reporting requirements to the DFS under the NY Regulations. Failure to report could result in the Third Party Service Provider defaulting on its contractual obligations with the Covered Entity, and the Covered Entity violating the NY Regulations.
When do the requirements imposed by the NY Regulations have to be implemented?
As noted above, the NY Regulations became effective March 1, 2017. However, compliance with certain significant provisions has been staggered to permit the Covered Entities to comply with the requirements. Covered Entities will have between 180 days and two years from the effective date of the NY Regulations to comply with the requirements. A Covered Entity must designate its CISO and establish and implement cybersecurity programs and cybersecurity policies within 180 days of the effective date, while it has two years from the effective date to establish policies and procedures for Third Party Service Providers. Covered Entities must certify compliance with the NY Regulations by February 15, 2018 and annually thereafter.
While most Covered Entities may already have appropriate cybersecurity measures in place due to existing federal and state regulations, the NY Regulations not only create new obligations, but will likely serve as a trigger point for increased state regulation of cybersecurity policy. Regardless of which states ultimately follow New York’s lead, the fact remains that the NY Regulations may affect your business no matter your size or where you conduct business. Indeed, the fact that the NY Regulations require Covered Entities to designate a Senior Officer and CISO with a litany of responsibilities (including annual certification of compliance) for each, should, at the very least, prompt Covered Entities to reevaluate the scope of their existing cyber and E&O insurance. Although the NY Regulations are silent about the penalties for violation of the NY Regulations, under the authority of the superintendent, the DFS will presumably be able to impose civil monetary penalties or seek injunctive relief for noncompliance, prompting Covered Entities to be vigilant in ensuring their service providers are complying with the Covered Entities’ written cybersecurity policies and contractual provisions. Thus, it is critical for a Covered Entity or any other party in the commercial finance and asset based lending industry dealing with a Covered Entity, to immediately begin assessing the steps necessary to ensure they are prepared to meet the requirements of the NY Regulations.
¹ 23 NYCRR 500
² Press Release, “Governor Cuomo Announces First-in-the-Nation Cybersecurity Regulation Protecting Consumers and Financial Institutions from Cyber-Attacks to Take Effect March 1,” http://www.dfs.ny.gov/about/press/pr1702161.htm (Feb. 16, 2017)
³ https://myportal.dfs.ny.gov/web/guest-applications/who-we-supervise. However, note the not-so-subtle language in the definition that the NY Regulations apply not only to those that are regulated by the DFS, but those “required to operate” under the authority of DFS.