Compliance officers working with banks, insurers, and other financial service companies doing business in New York may soon find themselves with expanded jobs due to new proposed cyber-security regulations scheduled to take effect in that state in 2017. The proposed regulations were issued by the New York Department of Financial Services (NYDFS) on September 13, 2016. While similar to existing federal data security regulations for financial institutions promulgated under the authority of the Gramm-Leach-Bliley Act (GLBA), New York’s proposed regulations contain potentially burdensome additional requirements that are not found in the GLBA-related federal regulations.
Impact of the regulations
New York’s proposed cyber-security regulations will cover any person or entity “operating under or required to operate under a license, registration … or similar authorization under” New York’s banking, insurance, or financial services laws (also known as Covered Entities). National banks, banks chartered in other states, Federal credit unions, and broker-dealers (among others) would not be Covered Entities.
At its core, the New York regulations set forth requirements for Covered Entities with respect to the protection of their electronic information systems and “non-public information” in electronic form. Under the regulations, non-public information includes customer information that a financial institution maintains—but it also includes any business information of a Covered Entity (if its unauthorized disclosure would have a material adverse impact on the entity), information related to the health or healthcare of individuals, information that can identify an individual (e.g., name & government ID), or information that is linked or linkable to an individual (e.g., employment-related information).
Specifically, if it is not feasible to achieve compliance with those encryption requirements, the regulation allows a Covered Entity until Jan. 1, 2018 to achieve compliance with respect to encrypting non-public information in transit; and until January 1, 2022 to achieve compliance with respect to encrypting non-public information at best.
As is typically the case with information security laws and regulations, the proposed New York rules require that Covered Entities maintain a cyber-security program and written cyber-security policies. However, unlike other regulations and frameworks, which generally take a risk-based approach to information security, New York’s cyber-security regulations impose more prescriptive rules, such as requiring Covered Entities to:
appoint a Chief Information Security Officer (CISO);
encrypt all non-public information;
conduct annual penetration tests and quarterly vulnerability tests of information systems;
maintain audit systems that allow “for the complete and accurate reconstruction of all financial transactions … necessary to enable the Covered Entity to detect and respond to” cyber-security events;
use multifactor authentication in certain cases;
notify the NYDFS within 72 hours of becoming aware of cyber-security events; and
annually submit to the NYDFS a certification of compliance.
Compliance exemptions and timelines
New York’s proposed cyber-security regulations contain limited exemptions and transition periods with respect to some of its requirements. This includes any entity that had fewer than 1,000 customers in each of the three preceding calendar years; less than $5 million in gross annual revenue in each of the three preceding fiscal years; and less than $10 million in year-end total assets. These would all be exempt from certain regulatory requirements such as the provisions relating to appointing a CISO, conducting penetration and vulnerability tests, maintaining audit trail systems, using multifactor authentication, and encrypting non-public information.
Enjoy full access to Compliance Week's Digital Edition, a faithful reproduction of our monthly print magazine—conveniently online. Subscribers can browse, print, and download issues back to April 2013, add annotations, search by keyword, and more.
The regulations as a whole are currently scheduled to become effective on Jan. 1, 2017. However, Covered Entities have an additional 180 days following that date to achieve compliance. In addition, longer transition periods are granted with respect to the regulation’s encryption requirements. Specifically, if it is not feasible to achieve compliance with those encryption requirements, the regulation allows a Covered Entity until Jan. 1, 2018 to achieve compliance with respect to encrypting non-public information in transit; and until January 1, 2022 to achieve compliance with respect to encrypting non-public information at rest.
During these phase-in periods, a Covered Entity will need to use alternative methods (approved by its CISO) for protecting non-public information.
Status of the regulation
Following their publication, the regulations were subject to a comment period that ended on Nov. 14, 2016. During that period a number of comments and objections were submitted to the NYDFS. It is possible that in response to those comments and objections, the NYDFS may alter the final regulations they ultimately issue. In the meantime, if your company is a financial entity doing business in New York, it should analyze whether the regulations as proposed apply to it and, if so, it should begin developing plans for achieving compliance with the regulations.
Todd Taylor is a Member of Moore & Van Allen PLLC in Charlotte, North Carolina. Mr. Taylor’s practice is focused on privacy, information security and transactional matters, with an emphasis on supporting clients in the financial services industry. He can be reached at firstname.lastname@example.org.