New York delays and dials back cyber-security rules

Officials in New York are delaying the compliance dates for new cyber-security rules targeting financial institutions and have released new, more business-friendly revisions.

On Dec. 28, the New York Department of Financial Services announced it will postpone the effective date of its “first-in-the-nation” cyber-security regulations from Jan. 1, 2017, to March 1, 2017, giving affected companies 180 days (until Sept. 1) to prepare compliance efforts. The original compliance date was July 1, 2017.

This updated proposal is intended to accommodate a new comment period and provide adequate time for regulated entities to review the rules before they become final and “make certain that their systems can effectively and efficiently meet the risks associated with cyber-threats,” a statement from the Department says.

As proposed in September, the regulations required that banks, insurance companies, and other financial services institutions overseen by the NYDFS establish a cyber-security program; adopt a written cyber-security policy; designate a chief information security officer responsible for implementing, overseeing, and enforcing its new program and policy; and have policies and procedures designed to ensure the security of information systems and non-public information accessible to, or held by, third parties.

Enjoy full access to Compliance Week's Digital Edition, a faithful reproduction of our monthly print magazine—conveniently online. Subscribers can browse, print, and download issues back to April 2013, add annotations, search by keyword, and more.

Notable changes in the new proposal include: a greater range of exemptions; a focus on risk profiles and risk assessments over prescriptive mandates; and a more detailed definition of what had been criticized as an overly broad definition of non-public information.

Under the revised rules, institutions will have one year from the effective date to provide CISO and board reports on penetration testing, vulnerability assessments, and cyber-security training. Covered entities will have two years from the effective date to comply with demands related to the security of third-party service providers.

Unintended consequences

A wide range of concerns were voiced during the previous comment period.

“We are completely in support of the underlying objectives,” Laura Mazzara, senior vice president and chief risk officer for Pioneer Bank said during a Dec. 19 hearing convened by the New York State Assembly. Nevertheless, she urged “flexibility in the way the rule is interpreted and how we are expected to implement it.”

The rule’s “one-size fits all” approach “doesn’t take into account the operating environment as it varies from bank to bank,” she said.

Citing a growing list of cyber-security demands by federal regulators, Mazzara openly worried that the new regulation could “result in a disparity between a standard we are expected to meet on the federal side and a standard we are expected to meet on the state side.”

Her colleague at Pioneer Bank, Associate Counsel and Compliance Officer James Whalen, detailed concerns that the amount of reported information “could be quite voluminous and number in the hundreds, potentially thousands of incident reports per year” because nearly any attempted breach, successful or not, would need to be itemized.

“We’re concerned that the public nature of these reports could create the false impression among community bank customers that the institutions are less secure with respect to cyber-security than their federally chartered counterparts,” Whalen added.

Comment letters regarding the proposal touched upon these and other concerns. Among the notable pieces of correspondence was a letter authored by the Securities Industry and Financial Markets Association, the American Bankers Association, the Financial Services Roundtable, the Financial Services Sector Coordinating Council, the Mortgage Bankers Association, the American Financial Services Association, the American Land Title Association, and the New York Mortgage Bankers Association.

They requested that the final regulation be “complementary and consistent with existing cyber-security requirements” and embody a risk-based approach.

“I think [the] NYDFS would like to pin the tail on one individual and have them responsible. The industry pushed back and said, as a practical matter, that it is just not going to happen because there are so many chefs in the kitchen here and they are all indispensable.”
Jim Woods, Co-Leader, Global Insurance Industry Group, Mayer Brown

“Cyber-security regulations issued by only one state—or by several states—without an effort to converge and coordinate with existing cyber-security requirements will lead to confusion, additional costs, and a misalignment of cyber-security operations within the industry,” they wrote.

Financial firms already have designed their cyber-security programs to implement National Institute of Standards and Technology’s cyber-security framework, comply with the Federal Financial Institutions Examination Council’s Cyber-security Assessment Tool, and meet requirements of the Gramm-Leach-Bliley Act. “The proposal, however, does not adopt or fully recognize the [framework], the existing federal requirements, and the extensive efforts that firms have made to comply with existing requirements,” the letter says.

Some of the requirements proposed by the NYDFS impose “impractical and technically infeasible requirements that would lead to unintended consequences,” the groups wrote.

For example, requirements to encrypt data at rest and in transit, deploy multifactor authentication protections, and maintain audit trails for nearly all information processed by financial firms—as opposed to sensitive data that, if compromised or lost, would result in significant harm to the consumer—“would not align with existing federal requirements and result in massive inefficiencies and delays in fulfilling customer demands.”

“Requiring encryption of nearly all data at third-party vendors would cause material data processing delays,” the groups added. “These requirements should instead be risk-based.”

Similarly, data retention requirements should be governed by the records retention policies of the business. “Data stored on magnetic data tapes and commingled data on servers present significant feasibility challenges with respect to any requirement for targeted data destruction,” the letter says.

As for the risk of over-reporting, the letter suggests that the final regulation require notification only where there is a substantial risk of material harm, rather than all events involving non-public information or every event that may affect a firm’s operation.

A major concern cited in the letter is the rule’s proposed certification requirement. “[It] is an unprecedented new government cyber-security requirement that is also highly impractical—especially to the extent it requires firms to certify complete compliance,” the letter argues. “The language … does not recognize that cyber-security is an iterative process, and it leaves no room for instances where complete compliance has not been achieved but remediation plans have been duly put in place.”

INCIDENT RESPONSE PLAN

Below is an excerpt from the updated NYFDS regulation on cyber-security.
(a) As part of its cyber-security program, each Covered Entity shall establish a written incident response plan designed to promptly respond to, and recover from, any Cyber-security Event materially affecting the confidentiality, integrity or availability of the Covered Entity’s Information Systems or the continuing functionality of any aspect of the Covered Entity’s business or operations.
(b) Such incident response plan shall address the following areas:
(1) the internal processes for responding to a Cyber-security Event;
(2) the goals of the incident response plan;
(3) the definition of clear roles, responsibilities, and levels of decision-making authority;
(4) external and internal communications and information sharing;
(5) identification of requirements for the remediation of any identified weaknesses in Information Systems and associated controls;
(6) documentation and reporting regarding Cyber-security Events and related incident response activities; and
(7) the evaluation and revision as necessary of the incident response plan following a Cyber-security Event
Source: NYFDS

The proposal, the groups added, requires certification of compliance with no apparent mechanism to note areas that may not be in complete compliance at the time of certification but that have been identified for remediation. Such a certification could result in criminal liability if the controls are found lacking.

“Firms should not be required to operate under such heightened standards and onerous penalties for non-compliance, especially in an environment that is inherently uncertain and fraught with unknown risks,” they wrote. If the language remains as stated in the proposed regulations, “it could lead to a paper exercise of downstream certifications to protect senior officers from liability, with a focus on checking the box rather than on addressing cyber-risk.”

Concessions, flexibility offered

Based on the revised rule, the NYDFS didn’t turn a deaf ear to these and other complaints.

“Overall, the differences make this a much more business-practical application of a cyber-security program,” says Jim Woods, co-leader of law firm Mayer Brown’s global insurance industry group. The expanded compliance timelines set “a fairly workable timetable.”

Notably, the NYDFS also narrowed the definition of personal information. “They no longer require a single executive to be responsible for the overall implementation of the cyber-plan. It can be the board, it can be a committee of the board, or it can involve the CISO,” Woods says.

That current flexibility, however, could evolve or narrow over time.

“I think [the] NYDFS would like to pin the tail on one individual and have them responsible,” Woods says. “The industry pushed back and said, as a practical matter, that it is just not going to happen because there are so many chefs in the kitchen here and they are all indispensable. I imagine that this could be tightened down the road if the Department doesn’t feel things are going the way they had hoped.”

Woods is also pleased to see, at the very least, a willingness to act on industry concerns.

“Let’s not lose sight of the fact that no one wants to be hacked,” he says. “Those who are hacked are victims, yet they are frequently treated by the government as malfeasants who were negligent or careless. In some instances, perhaps that is the case, but I need to believe most are professionals who want to take the proper steps not to become victims. To treat them as instant defendants the minute they get hacked, is an over-play in my book. We need to see more of a cooperative venture here where industry and government are working together toward a common goal, so I’m delighted to see that there was flexibility embedded in many of these changes.”

Carving out many more entities from being covered by the rules was also a shrewd, important move, says Jeffrey Taft, a partner at Mayer Brown and a financial services regulatory attorney.

“That was a recognition that there are a lot of small mom and pop businesses out there that aren’t banks or insurance companies,” he says. Nevertheless, even small entities licensed by the Department—mortgage brokers, mortgage lenders, money services businesses, and small-loan lenders—were covered by the rules and faced a far greater compliance burden than their larger peers.

Taft also applauded the easing up of multifactor authentication and encryption demands. “The Department’s initial view was that these are technically feasible and will make things safer, so people should do it,” he says. “That overlooked the fact that there are costs associated with it. The original proposal for encryption was very broad. It didn’t even talk about external networks. People were asking whether transferring data within their own network required encryption even if that doesn’t make a lot of sense.”

The revised regulation, “loosens the requirement around encryption” establishing it as “part of doing a more general, facts and circumstances review,” he says. “It initially looked as though companies were going to need to use multifactor authentication and double passwords for everything.”

As for what needs to be reported to the NYDFS, the revised rules limit the scope. Rather than the original, overly broad mandate, there is now a harm threshold with reporting based on a reasonable likelihood of an event materially harming, “not just that somebody tried to hack in or clicked on a phishing link,” Taft says.

The effort to tailor requirements to risk assessments was welcomed, says Judy Selby, managing director in BDO Consulting’s technology advisory services practice. “Because it’s a regulation and not just guidance, I have more confidence that a risk-based approach will be effective,” she says.

Allowing certifications to detail compliance efforts underway, rather than provide a blanket promise of security was also important. “They maintained the certification with the big caveat that you can say you are working on areas where you are not in compliance,” Selby says. “It now requires you to identify those areas and the steps you are taking, or plan to undertake and remediate. That’s a bow to reality. For most institutions coming into compliance with the original language in the regulation would have been extremely difficult.

Mandates regarding third parties were eased up a bit, but should remain a priority for firms. “There are still people who think that if they hire a vendor to handle their information that all the responsibility goes to it and if anything goes wrong it is the vendor’s fault,” Selby said. “It is surprising that some people still think that.”

A challenge, she said, is that law firms and other professional services companies may not think of themselves as a vendor for purposes of these rules and other regulatory requirements. “It is hard for trusted advisers to wrap their head around the idea that they are a third-party vendor because they are aggregators of clients’ sensitive information.”

The new proposal clarifies obligations regarding asset inventory and device management. “That’s significant because if you don’t know what assets you have, you can’t properly protect them,” Selby says. “We have such a mobile workforce now, device management is critical. We do see breaches arising from mismanagement of IT assets, sometimes even when they are being disposed of.”

Asset inventories may be even more important amid a spike in M&A activity, with companies often inheriting an acquisition’s legacy systems.

“We find over and over again that many companies really have trouble answering the question: ‘Do you know where your data is?’ ” Putting in an asset inventory requirement is a step in the right direction,” Selby says. “People need to understand that information now is an asset and is valuable and they need to protect it like any other asset. You can’t imagine anyone having money some place and not knowing where it is. It is the same thing.”