New York Department of Financial Services Revises Proposed Cybersecurity Regulations
On December 28, 2016, the New York Department of Financial Services (the DFS) issued a revised version of proposed regulations (the Revised Proposal) regarding cybersecurity requirements that would apply to financial services firms that are licensed, or are otherwise granted operating privileges, by the DFS (Covered Entities). As described in our September 26, 2016 bulletin titled New Cybersecurity Rules May Apply Imminently to a Wide Range of Financial Services Firms in New York State, the DFS first proposed cybersecurity regulations on September 13, 2016 (the Original Proposal). The DFS is inviting comments on its Revised Proposal until January 27, 2017. The Revised Proposal is expected to become effective as of March 1, 2017, subject to the compliance transition periods discussed further below.
The changes reflected in the Revised Proposal resulted, in part, from the substantial public comments submitted in response to the Original Proposal. Although the Revised Proposal addresses several areas of concern or confusion for financial services firms, certain questions of scope and liability remain. Notwithstanding the intended effects of the revisions to accommodate suggestions from commenters, the Revised Proposal's requirements remain extensive and may impose significant compliance burdens on Covered Entities.
Notable Changes to the Original Proposal
Cybersecurity Risk Assessments and Program Requirements. One key emphasis in the Revised Proposal is on Covered Entities' risk assessments, which, as the Revised Proposal makes clear, are to be a central factor in the development of systems, policies and procedures for compliance with the cybersecurity regulations. This emphasis appears to reflect DFS's acknowledgment that the Original Proposal's prescribed "one-size-fits-all" requirements for cybersecurity programs were, arguably, at odds with the DFS's stated objective that such programs be risk-based. Although the development of a cybersecurity program based upon an individualized and somewhat fluid risk assessment may result in greater costs and require more effort, that approach will permit greater flexibility and more easily attainable objectives for Covered Entities when developing compliant cybersecurity programs. This will be particularly true for those smaller and less complex institutions that may not require the cybersecurity compliance infrastructure needed by most larger and more interconnected institutions. Notably, the Revised Proposal also relieves a Covered Entity from establishing a cybersecurity program that will "ensure" the confidentiality, integrity and availability of the Covered Entity's information systems (as was required under the Original Proposal); instead, Covered Entities' cybersecurity programs must be designed to "protect" those aspects of their information systems.
With respect to cybersecurity personnel and resources, whereas the Original Proposal required Covered Entities to "employ" qualified cybersecurity personnel to manage cybersecurity risks and perform the core functions of their cybersecurity programs, the Revised Proposal more broadly requires Covered Entities to "utilize qualified personnel of the Covered Entity, an Affiliate or a Third Party Service Provider" in carrying out cybersecurity program-related responsibilities and other applicable requirements. Although Covered Entities must field a minimum level of cybersecurity experience and expertise, this broader language in the Revised Proposal permits the contracting of external personnel rather than the full-time employment of in-house resources.
Nonpublic Information. "Nonpublic information" (NPI)—the security and integrity of which the cybersecurity regulations are designed to protect—is defined slightly differently under the Revised Proposal than in the Original Proposal. The revised definition of NPI continues to include the "business-related information of a Covered Entity the tampering with which, or unauthorized disclosure, access or use of which, would cause a material adverse impact to the business, operations or security of the Covered Entity." The Revised Proposal, however, narrows and consolidates the other categories of NPI.
Under the Original Proposal, NPI included the above-described business-related information, as well as any information (i) provided by an individual to a Covered Entity in connection with the seeking or obtaining of any financial product or service from the Covered Entity, (ii) about an individual resulting from a transaction involving a financial product or service between a Covered Entity and an individual, (iii) that a Covered Entity otherwise obtains about an individual in connection with providing a financial product or service to that individual, or (iv) that can be used to distinguish or trace an individual's identity. In general, industry commenters viewed this definition as overbroad. Perhaps in recognition of these concerns, the DFS in the Revised Proposal limits the scope of covered identifying information to information concerning an individual which because of name, number, personal mark, or other identifier can be used to identify such individual, in combination with any one or more of the following data elements: (i) social security number, (ii) drivers' license number or non-driver identification card number, (iii) account number, credit or debit card number, (iv) any security code, access code or password that would permit access to an individual's financial account, or (v) biometric records.
The Revised Proposal's definition of NPI relating to individuals, although still broad, is consistent in many ways with the definition of protected "private information" under New York's Information Security Breach and Notification statute, as well as the data security and breach notification laws of many other jurisdictions. The revised definition may therefore mitigate the need for Covered Entities to maintain a separate classification of protected information for purposes of compliance with the Revised Proposal. However, the inclusion of business-related information remains very broad, and might include information such as emails, strategy documents and sensitive operating procedures, all of which would be subject to the obligation to protect, as well as the Revised Proposal's requirements relating to encryption of data in transit and at rest.
Access Controls and Encryption. Under the Revised Proposal, Covered Entities' use of multi-factor authentication and encryption for the protection of information systems and NPI generally may be based on the risk assessments of those firms. Thus, a Covered Entity with a lower cybersecurity risk profile may elect to adopt certain risk-based authentication techniques that are less burdensome or costly than multi-factor authentication. However, multi-factor authentication (which is defined specifically, and does not include methods like device-based authentication) must still be used for any individual accessing the entity's internal networks from an external network "unless the Covered Entity's Chief Information Security Officer (CISO) has approved in writing the use of reasonably equivalent or more secure access controls." Firms may view reliance on a written determination by the CISO that an alternative method is "reasonably equivalent" or "more secure" as riskier than conforming to the general rule. The Revised Proposal therefore maintains a certain technology preference, arguably persuading Covered Entities to use the method specifically allowed by the regulations, and dampening the potential use of other (and perhaps more innovative) technologies or methods.
Similarly, while the Original Proposal mandated the encryption of NPI while at rest or during transmission across external networks, the Revised Proposal allows Covered Entities to implement reasonable controls for the protection of NPI held or transmitted on external networks. However, as with the above-described multi-factor authentication provision, "to the extent a Covered Entity determines that encryption of [NPI] [in transit over external networks or at rest] is infeasible, the Covered Entity may instead secure such [NPI] using effective alternative compensating controls reviewed and approved by the Covered Entity's CISO." The use of an alternative method therefore requires a finding that the use of encryption is "infeasible," and a written determination to use an alternative method—again tilting the technological choice to secure NPI (including sensitive business information) to encryption and away from methods such as access controls or data-sharding for data at rest. In sum, while these revisions afford Covered Entities greater flexibility than the Original Proposal regarding risk-based access controls when those controls are reviewed regularly by a firm's CISO, the Revised Proposal nonetheless reveals stated technology preferences.
CISO Requirements. The Revised Proposal includes certain clarifications with respect to the CISO required under the regulations. Specifically, a firm's CISO need not be hired or appointed to serve exclusively in that capacity. A Covered Entity may designate a qualified individual to perform the required functions of the CISO, and that individual's professional duties do not need to be limited to CISO functions. Moreover, the Revised Proposal clarifies that the use of the specific title of CISO is not required.
With respect to the reporting duties of the CISO, the Revised Proposal limits the scope of the reports required to be made to a Covered Entity's Board of Directors in terms of both frequency (from bi-annually to annually)1 and content (for example, by requiring the CISO to identify and report on material cyber risks to the Covered Entity, rather than all cyber risks).
Third Party Service Providers. The Revised Proposal contains a number of modifications affecting Third Party Service Providers and the obligations imposed upon such entities. These modifications include, among others:
- Adding the defined term "Third Party Service Provider." The definition includes firms that provide services to Covered Entities or that maintain, process or are otherwise permitted access to the NPI of Covered Entities. Affiliates of Covered Entities are excluded from the definition.
- Requiring internal guidelines for arrangements with Third Party Service Providers instead of prescriptive preferred contract provisions. The Revised Proposal specifies the topics to be addressed by contracts with Third Party Service Providers instead of dictating the provisions' content. For example, the Revised Proposal would not, as did the Original Proposal, require specific representations and warranties from Third Party Service Providers that any service or product that they provide to a Covered Entity "is free of viruses, trap doors, time bombs and other mechanisms" that would pose cyber risks to the Covered Entity. The DFS appears to have recognized that such a categorical representation as the Original Proposal required could almost never be made with certainty and thus would essentially be meaningless.
- Clarifying that a Covered Entity's Third Party Service Provider security policies and procedures shall be based on and tailored according to the periodic risk assessments of the Covered Entity. This clarification addresses the concern that, for purposes of Covered Entities' responsibility to design and implement Third Party Service Provider security policies and procedures, the Original Proposal may have required an individual risk assessment of every Third Party Service Provider used by a Covered Entity. It is also consistent with the clarifications described above regarding the requirements for risk-based cybersecurity programs and access control policies and procedures.
Cybersecurity Event Reporting Obligations. Under both Proposals, a "cybersecurity event" means "any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an information system or information stored on such information system." However, the Revised Proposal includes certain concessions to Covered Entities regarding reporting obligations in connection with such events. The Original Proposal required Covered Entities to report to the DFS within 72 hours of "becoming aware" of a cybersecurity event that affects NPI or that has a reasonable likelihood of materially "affecting" Covered Entities' normal operations. By contrast, the Revised Proposal requires Covered Entities to notify the DFS within 72 hours of making a determination that a cybersecurity event of the following types has occurred: (i) a cybersecurity event that has a reasonable likelihood of materially "harming" the normal operations of the Covered Entity and (ii) a cybersecurity event that requires notice to be provided to any governmental or supervisory body or self-regulatory agency.
These modifications are likely to ease the burden on Covered Entities of reporting cybersecurity events without compromising the well-accepted goal of notifying affected individuals and government agencies about serious cybersecurity breaches. Financial services firms operating in New York are currently subject to extensive security breach notification requirements under New York's General Business Law and may be responsible for certain reporting requirements applicable under federal interagency guidelines. Accordingly, the changes incorporated into the Revised Proposal will not let serious cybersecurity incidents go unreported.2
Exemptions. The Revised Proposal broadens the exemptions from some of the cybersecurity requirements of the regulations for certain Covered Entities. The revised exemption applies to any Covered Entity with either (i) fewer than 10 employees (including independent contractors) or (ii) less than US$5 million in gross annual revenue in each of the last three years or US$10 million in year-end total assets. The Revised Proposal also adds an exemption, not included in the Original Proposal, for any Covered Entity that "does not directly or indirectly operate, maintain, utilize or control any information systems, and that does not, and is not required to, directly or indirectly control, own, access, generate, receive or possess NPI." 3
The Revised Proposal, however, would require any Covered Entity that qualifies for an applicable exemption to file a one-time Notice of Exemption.4
Transition Periods. The Revised Proposal includes staggered transition periods for compliance with various aspects of the regulations. Consistent with the Original Proposal, Covered Entities are granted 180 days from the effective date of any final regulations (which, as noted, is expected to be March 1, 2017) to come into full compliance. But the Revised Proposal also includes longer transition periods for select requirements. Covered Entities are given one year to comply with requirements relating to penetration testing and vulnerability assessments, periodic risk assessments, multi-factor authentication and certain training and monitoring provisions. Covered Entities are given 18 months to comply with requirements relating to an audit trail, application security, data retention, encryption and certain training and monitoring provisions and two years to comply with Third Party Service Provider requirements.
Considerations for Covered Entities
Although the Revised Proposal modifies the Original Proposal in ways that may reduce the burdens of complying with the regulations, certain provisions of the Original Proposal that have remained intact may cause confusion or subject firms to significant compliance costs. For example, the term "Covered Entity" was not amended substantively in the Revised Proposal (other than to exclude governmental entities) and the intended scope of the regulations was not otherwise addressed by the DFS. As noted in our analysis of the Original Proposal, although it is clear that banks, insurance companies and their holding companies would be Covered Entities, it is unclear to what extent firms with multi-state enterprise-wide operations, but with only limited ties to New York state, could be deemed to be Covered Entities. This question may arise for out-of-state banks with one or more branches (or limited-purpose offices such as trust offices) in New York state. The enterprise-wide activities of such banks could be made subject to the Revised Proposal, possibly through affiliated DFS-regulated insurance entities and other financial services firms, even if the activities that occur within the DFS's jurisdiction or involve the NPI of New York residents are minimal.
Notwithstanding the above, we note that with respect to national banks, the Revised Proposal may be preempted by federal law.5 Moreover, although federal law governing the subsidiaries, agents and affiliates of national banks located in New York would not preempt the Revised Proposal, the enforcement of the regulations by the DFS could be precluded by federal law, which vests with the Office of the Comptroller of the Currency exclusive visitorial authority regarding the content and conduct of activities authorized for national banks under federal law.6 Similarly, the Securities Exchange Act (Exchange Act) limits the application of state law establishing certain functional and reporting requirements upon broker-dealers that differ from or add to requirements established by the Exchange Act or regulations issued thereunder by the Securities and Exchange Commission (SEC).7
The Revised Proposal also does not modify the Original Proposal's annual certification-of-compliance requirement. Completion of an annual certification of compliance is likely to be costly for Covered Entities and will require senior officer(s) of such Entities to obtain actual, perhaps extensive knowledge of compliance systems and controls. Although the DFS appears to have received considerable commentary regarding the cost and limited utility of an annual certification of compliance, the DFS stated the following in connection with the release of the Revised Proposal: "The [DFS] has determined that the annual certification of compliance is an important part of the regulation and the [DFS's] oversight of the financial market. The [DFS] does not believe that the requirement creates unnecessary burdens; to the contrary, the [DFS] believes the process is essential to good corporate governance." The DFS's statement that an annual certification of compliance is "essential to good corporate governance" provides an indication that the Covered Entity's certifying senior officer(s) and/or directors may be personally liable for perceived compliance shortcomings.
In sum, the Revised Proposal allows for greater flexibility than the Original Proposal, which, at least in certain contexts, could reduce compliance obligations and related costs. Nevertheless, the implementation of compliance systems that conform to the DFS's cybersecurity regulations likely will be a challenging and costly exercise—and ongoing liability for firms and their individual officers and directors remains possible. Accordingly, the various strategic alternatives for managing institutional and personal regulatory risk discussed in our analysis of the Original Proposal—such as charter conversion (to a new home state or a national bank charter), relocation and reorganization—would remain relevant even if the DFS's cybersecurity regulations are adopted in their revised form.
As noted, the DFS is accepting comments on the Revised Proposal only until January 27, 2017. Any firms considering providing recommendations for additional modifications thus have a very short window of time in which to do so.
We note that the term "bi-annually" could be read to require a report by the CISO every two years, as opposed to twice per year, but in light of the totality of the changes made by the DFS in the Revised Proposal, and without clear guidance from the DFS on this subject, we presume that the change from "bi-annually" to "annually" is intended to lessen, not increase, the reporting obligations of CISOs.
The Revised Proposal also provides that any information provided to the DFS by a Covered Entity pursuant to the DFS's cybersecurity regulations is "subject to exemptions from disclosure" under the New York Banking, Insurance, Financial Services and Public Officers Laws "or any other applicable federal or state laws."
The first provision discussed above (in effect, a small institution exemption) exempts Covered Entities from compliance with the requirements of Sections 500.04, 500.05, 500.06, 500.08, 500.10, 500.12, 500.14, 500.15 and 500.16 of the regulations, while the second provision (applicable to entities that do not operate, maintain, utilize or control information systems and which do not own, access, generate receive or possess NPI) exempts Covered Entities from compliance with Sections 500.02, 500.03, 500.04, 500.05, 500.06, 500.07, 500.08, 500.10, 500.12, 500.14, 500.15 and 500.16.
15 U.S.C. § 78o(i). We note that the SEC has promulgated several regulations related to cybersecurity and the protection of information and trading systems, securities markets and customer information.