NY DFS Cybersecurity Regulations August 8, 2017

Transcription

1 NY DFS Cybersecurity Regulations August 8, NYCRR Part 500

2 Asking Questions

3 Anti-Trust Policy

4 As a CPCU approved education program related to The Institutes Chartered Property Casualty Underwriter professional designation, this program may be applied for 1 credit hour towards continuing education requirements.

5 Cate Paolino State Affairs Director Northeast Region NAMIC

6 Presenters Michael Nonaka Partner Covington & Burling, LLP Micaela R.H. McMurrough Special Counsel Covington & Burling, LLP

7 AGENDA History of the Regulations Comment Periods Input and Outcomes Key Dates Transition Periods by Provision Key Provisions FAQ Highlights What s Next? 7

8 8

9 History of the Cybersecurity Regulations Sep. 13, 2016 First Draft released Nov. 14, 2016 First comment period (45 days) ended Dec. 28, 2016 Second Draft released Jan. 27, 2017 Second comment period (30 days) ended Feb. 13, 2017 Final Regulation released March 1, 2017 Final Regulation became effective 9

10 Initial Release Reaction was strong and swift Regulation was broadly applied and viewed as highly prescriptive Seemed intended to raise floor of cybersecurity, and establish baseline practices across the board Flurry of activity and concern about compliance 10

11 What we learned from the comment periods Covered entities needed more flexibility and customization Overbroad notification requirement Transitional periods recognize some provisions are easier to comply with than others (thirdparty service provider difficulties) Reduction of the audit trail by adding materiality qualifiers 11

12 What changed based on the comment periods the Risk Assessment is paramount audit trail requirements modified by materiality requirements notice provisions modified by materiality requirements data may be retained for legitimate business purposes (not just when retention is required by law) definitions narrowed BUT. still prescriptive 12

13 13

14 14

15 Key Dates March 1, NYCRR Part 500 became effective. August 28, day transitional period ends. Covered Entities are required to be in compliance with requirements of 23 NYCRR Part 500 unless otherwise specified. September 27, Initial 30 day period for filing Notices of Exemption under 23 NYCRR (e) ends. Covered Entities that have determined that they qualify for a limited exemption under 23 NYCRR (a)-(d) as of August 28, 2017 are required to file a Notice of Exemption on or prior to this date. February 15, Covered Entities are required to submit the first certification under 23 NYCRR (b) on or prior to this date. March 1, One year transitional period ends. Covered Entities are required to be in compliance with the requirements of sections (b), , , and (b) of 23 NYCRR Part 500. September 3, Eighteen month transitional period ends. Covered Entities are required to be in compliance with the requirements of sections , , , (a) and of 23 NYCRR Part 500. March 1, Two year transitional period ends. Covered Entities are required to be in compliance with the requirements of 23 NYCRR

16 180-Day Transition Period Aug. 28, Cybersecurity Program Cybersecurity Policy (a) CISO (have one) Limit Access Privileges Risk Assessment Cybersecurity Personnel and Intelligence Incident Response Plan Notices to Superintendent 16

17 One Year Transition Period March 1, (b) CISO Report Penetration Testing and Vulnerability Assessments Risk Assessment Multi-Factor Authentication (b) Training and Monitoring Cybersecurity awareness training 17

18 Eighteen Month Transition Period Sep. 3, Audit Trail Application Security Limitations on Data Retention (a) Training and Monitoring Monitor the activity of Authorized Users, detect unauthorized access or use by Authorized Users Encryption of Nonpublic Information 18

19 Two Year Transition Period March 1, Third Party Service Provider Security Policy 19

20 Electronic Filing of Notices 20

21 Key Provisions The Risk Assessment Added in response to public comment Now a touchstone of the regulation Compliance with many other provisions depends on assessment Requires: a periodic risk assessment that is sufficient to inform the design of the cybersecurity program Carried out in accordance with policies and procedures, and includes: criteria for categorization of risk criteria for assessment of the cyber program description of how identified risks will be mitigated or accepted 21

22 Key Provisions Pen Testing and Vulnerability Assessment Cybersecurity program shall include monitoring and testing of networks and Information Systems. The purpose is to detect, on an ongoing basis, changes in systems that may create or indicate vulnerabilities. Can satisfy the provision through: continuous monitoring OR annual penetration testing + bi-annual vulnerability assessments 22

23 Key Provisions Notice Requirements Must notify the NY DFS Superintendent: (a) no later than 72 hours from a determination that a Cybersecurity Event * has occurred where either: 1) notice is required to be provided to any other government body, self-regulatory agency or any other supervisory body 2) reasonable likelihood of materially harming any material part of normal operations of the business (b) Written statement of compliance every February 15 (Form is in Appendix A) * Cybersecurity Event = any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an Information System or information stored on such Information System 23

24 Appendix A - Certificate of Compliance 24

25 Key Provisions Third Party Service Providers Have policies and procedures that set forth: risk assessment of the third party minimum cybersecurity practices for third parties due diligence used to evaluate cybersecurity posture of third parties plan for periodic assessment of the cybersecurity posture of third parties Include relevant guidelines for due diligence or contractual terms about: procedures for access controls, Multi Factor Authentication use of encryption notice to be provided to you in the event of an incident reps and warranties about cyber posture 25

26 Key Provisions Exemptions a) Small Entities - Covered Entities with: fewer than 10 employees less than $5M in gross annual revenue in each of last 3 fiscal years less than $10M in year-end total assets b) an employee, agent or rep of a Covered Entity who is itself a Covered Entity c) no control over Information Systems/does not possess Nonpublic Information d) captive insurers These are LIMITED EXEMPTIONS some provisions still may apply; read the reg You MUST FILE FOR THE EXEMPTION not automatic filing is electronic, example form online 26

27 Appendix B - Notice of Exemption 27

28 Highlights from Published FAQs Obligation to report Unsuccessful Attacks? The Department anticipates that most unsuccessful attacks will not be reportable. Notify the Department of unsuccessful attacks that appear particularly significant. Consider whether handling the attack required exceptional attention by senior personnel or the adoption of extraordinary non-routine precautionary steps. Notice required when a Cybersecurity Event involves harm to consumers? Yes. Can include actual or potential consumer harm. What constitutes continuous monitoring for purposes of ? Can be attained through a variety of technical and procedural tools, controls and systems. No specific technology required to have an effective continuous monitoring program. Effective continuous monitoring generally has the ability to continuously, on an ongoing basis, detect changes or activities within a Covered Entity's Information Systems. Periodic manual review of logs and firewall configurations would not be considered to constitute "effective continuous monitoring" 28

29 Highlights from Published FAQs (cont.) Can a Covered Entity adopt parts of an Affiliate s cyber program? Yes a Covered Entity can adopt an Affiliate s cyber program in whole or in part. What to do with inconsistent transition periods? (i.e., entities must comply with certain provisions related to the Risk Assessment by Aug. 28, 2017, but the Risk Assessment itself is subject to a longer transition period) When complying with currently applicable requirements, Covered Entities are generally not required to comply with... provisions of the regulation for which the applicable transitional period has not yet ended. For example, while Covered Entities will be required to have a cybersecurity program... in place by August 28, 2017, the Department recognizes that in some cases there may be updates and revisions thereafter that incorporate the results of a Risk Assessment later conducted, or other elements of Part 500 that are subject to longer transitional periods. 29

30 What s Next? 30

31 Questions? 31

32 Thank You! facebook.com/namic.org twitter.com/namic Linkedin.com/company/527132