When it comes to cybersecurity, the financial services industry has been stuck in a quagmire. The industry faces significant costs associated with data breaches, identify theft, and service disruption. At the same time, businesses have learned that they must accept cybersecurity programs and policies as a cost of doing business, even if it the return on these investments remains unclear. A jumble of federal and state laws and regulations are further contributing to the operational costs of cybersecurity and regulatory compliance. The New York State Department of Financial Services’ (NYDFS) recently updated cybersecurity regulations suggest that regulatory authorities are aware of the difficulties confronting the financial services industry, and are trying to balance these competing concerns.
After receiving strong criticism from the banking and insurance industries, the New York State Department of Financial Services (NYDFS) issued updated proposed cybersecurity regulations, pushing back the effective date of the regulations from January 1, 2017 to March 1, 2017. The updated proposed regulations adopt a softer tone, providing greater flexibility in crafting and maintaining a cybersecurity program.
The original proposed regulations, introduced last fall, required banks, insurance companies and financial institutions regulated by NYDFS to adopt and maintain a cybersecurity program that protects customer information and information technology systems. During the 45-day notice and public comment period, NYDFS received extensive comments and complaints from banks, insurers and others that the proposed regulations were too complex, did not distinguish between financial institutions of different sizes, and imposed onerous technical requirements.
NYDFS listened. The updated proposed regulations still require regulated companies to establish a cybersecurity policy, maintain a cybersecurity program, and designate a Chief Information Security Officer (CISO) responsible for overseeing, implementing and enforcing the cybersecurity program and policy. However, the revised regulations are more flexible and accommodating for regulated organizations.
The revised proposed regulations include “transitional periods” for regulated entities to implement particular portions of the regulations. Regulated companies will have one year from the effective date of the regulations to: (1) report on the entity’s cybersecurity program and material cybersecurity risks; (2) conduct penetration testing and vulnerability assessments; (3) conduct a risk assessment of the entity’s information systems; (4) implement multi-factor authentication; and (5) provide regular cybersecurity training. Regulated companies will then have eighteen months to: (1) establish audit trails; (2) impose application security; (3) craft policies and procedures for limiting data retention; (4) implement monitoring of access to nonpublic information; and (5) encrypt nonpublic information. Two years after the effective date, regulated entities must implement written policies and procedures designed to address third party service providers.
The revisions also take a more relaxed stance on notification of cybersecurity events. The original proposal required regulated entities to notify the NYDFS superintendent as promptly as possible, but in no event later than 72 hours “after becoming aware of a cybersecurity event,” as defined by the regulations. So, the original version required regulated entities to report the actual or potential unauthorized tampering with or access to nonpublic information. The updated proposed regulations retain the 72-hour time frame for reporting a cybersecurity event, but no longer require regulated entities to notify the superintendent of actual or potential unauthorized tampering to nonpublic information. Instead, notification would be required if “[e]vents…have a reasonable likelihood of materially harming any material part of the normal operation(s)” of the regulated entity.
Finally, the technical components are now more flexible. For example, the updated regulations no longer require regulated entities to encrypt nonpublic information that is at rest or in transit if the regulated entity is using effective alternative controls to protect nonpublic information. The earlier version of the proposed regulations required regulated companies to transition to encryption at a certain point after the effective date.
Clearly, the revised proposed regulations suggest that NYDFS heard the concerns and complaints of the banking and insurance industries. However, the revised regulations also demonstrate that NYDFS will not abandon its efforts to establish minimum regulatory standards that require banks, insurance companies and financial service companies to create robust and multifaceted cybersecurity programs. While more flexible, the revised proposed regulations are still complex. Companies now have more time to become compliant, but should nevertheless recognize that outside legal and cybersecurity experts may be valuable assets in their efforts to ensure that the programs and policies implemented comply with these regulations.
Jay Shapiro is a partner at White and Williams LLP and a Co-Chair of the firm’s Cyber Law and Data Protection Group.
Laura Schmidt is an associate at White and Williams LLP where she practices in the firm’s Cyber Law and Data Protection group and Insurance Coverage and Bad Faith group. She received a J.D./M.B.A. from Temple Law in 2014.