New York DFS Cybersecurity Regulation:

Transcription

1 New York DFS Cybersecurity Regulation: Countdown to the August 28 Compliance Deadline Presented by: Craig Hoffman, Melinda McLellan & Jonathan Forman Moderated by: Carol Van Cleef July 27, 2017

2 Craig A. Hoffman Partner Cincinnati Melinda L. McLellan Partner New York Carol R. Van Cleef Partner D.C Jonathan A. Forman Counsel New York

3 Agenda Who is impacted by the new regulation? What is required by it that is different than existing laws and regulations? How do you leverage an existing cybersecurity program to achieve compliance? When are the compliance deadlines? How do you show compliance to minimize enforcement risks? 3

4 Entities Impacted NYDFS Licensees Affiliates New York Branch Offices Third Party Service Providers Business Partners Counterparties 4

5 Exemptions Full Exemptions Charitable annuity societies, non-ny risk retention groups, accredited/certified reinsurers Employee/agent covered by program of other licensee Limited Exemptions Limited operations in NY (revenue, personnel, assets) Captive insurance companies Does not directly or indirectly use Information Systems or access Nonpublic Information 5

6 Exempt Licensees Exempt licensees must file a notice with NYDFS File within 30 days of determining exempt status Licensees with limited exemption must still: Conduct risk assessment that informs cybersecurity program, written cybersecurity policy, access privileges, third party service provider security policy, and data retention practices Notify NYDFS of cybersecurity events and annually certify compliance to NYDFS Exemptions are not permanent 180 days to comply once exemption is invalid 6

7 New Requirements Annually certify compliance and report cybersecurity events to NYDFS Appoint CISO Conduct periodic risk assessment Review incident response plan Definition of cybersecurity event Definition of NPI (includes business info) Maintain audit trails for set time periods 7

8 Compliance Deadlines August 28, 2017 Implement cybersecurity program; CISO appointment March 1, 2018 Risk assessments; MFA September 3, 2018 Audit trails and encryption March 1, 2019 Vendor compliance Intervening certifications on February 15, 2018 &

9 August 28, 2017 Deadline Designate CISO Utilize qualified personnel Limit access to NPI Use defensive infrastructure Maintain written cybersecurity policy approved by senior officer Establish written incident response plan Report cybersecurity events to NYDFS 9

10 March 1, 2018 Deadline Conduct risk assessment CISO report to Board of Directors Employee training Conduct continuous monitoring OR annual penetration testing and bi-annual vulnerability assessments Employ multi-factor authentication 10

11 September 3, 2018 Deadline Maintain audit trails Implement disposal policies for non-required NPI Secure application development practices Encrypt NPI in transit and at rest Monitor user activity 11

12 March 1, 2019 Deadline Control risks associated with third parties accessing NPI Policies and procedures to address the due diligence process undertaken prior to engagement of the service provider Contractual provisions required for the service provider agreement Follow-up monitoring to confirm continued compliance by the service provider 12

13 Documenting Compliance Show don t tell regulators that cybersecurity program is Risk based Implemented through written policies and training Periodically reviewed and updated Understood and respected by all users, including board of directors and senior management Mere window dressing will not suffice 13

14 Privacy and Data Protection Team Practice Group of the Year by Law360 Chambers USA/Legal 500 Nationally-Ranked Handled over 2,000 breaches; more than 450 in 2016 alone Team includes 40+ attorneys across the country specializing in privacy and data security law Blog: 14

15 Contact Information Craig A. Hoffman Partner Cincinnati Melinda L. McLellan Partner New York Carol R. Van Cleef Partner D.C Jonathan A. Forman Counsel New York

16 Atlanta Chicago Cincinnati Cleveland Columbus Costa Mesa Denver Houston Los Angeles New York Orlando Philadelphia Seattle Washington, DC These materials have been prepared by Baker & Hostetler LLP for informational purposes only and are not legal advice. The information is not intended to create, and receipt of it does not constitute, a lawyer-client relationship. Readers should not act upon this information without seeking professional counsel. You should consult a lawyer for individual advice regarding your own situation Baker & Hostetler LLP. All Rights Reserved.