NYDFS Cybersecurity Regulations

Transcription

1

2

3 SPEAKERS

4

5 NYDFS Cybersecurity Regulations Lisa J. Sotto Hunton & Williams LLP (212) March 9, 2017

6 The Privacy Team at Hunton & Williams Over 30 privacy professionals in the U.S., EU and Asia Our clients have included 6 of the Fortune 10 Representing clients across multiple industry sectors, including financial services, retail, consumer products, technology, advertising, transportation, publishing, energy, health care and pharmaceutical Centre for Information Policy Leadership at Hunton & Williams

7 SWIFT Scottrade Morgan Stanley JPMorgan Chase Global Payments RBS Worldpay Key Financial Services Incidents

8 Roadmap Purpose and Scope of the Regulations Key Definitions Key Requirements Preparing for the Regulations

9 Purpose of the regulations Purpose and Scope of the Regulations Applies to covered entities that are required to operate under a license or charter under the NY banking, insurance or financial services law. Examples include: Banks chartered in NY Trust companies Money transmitters Mortgage brokers Does not apply to: National banks or banks chartered in other states Broker-dealers Federal credit unions

10 Key Definitions Cybersecurity Event Nonpublic Information Third Party Service Provider

11 Key Requirements Cybersecurity program Written cybersecurity policy, approved by senior officer or the Board CISO, to report to the Board Penetration testing, vulnerability assessments and audit trails Periodic risk assessments Service provider policy Limits on data retention Encryption Written incident response plan Notification to DFS for cybersecurity events and annual certification of compliance

12 Cybersecurity Program Cybersecurity program must be based on the covered entity s risk assessment and be designed to: identify and assess internal and external cybersecurity risks use defensive infrastructure and policies to protect the covered entity s information systems and data detect cybersecurity events respond to identified cybersecurity events recover and restore normal operations fulfill applicable regulatory reporting obligations

13 Written Cybersecurity Policy Covered entities must have a written policy based on a risk assessment Policy must be approved by a senior officer or the Board Must address such issues as: access controls and identity management business continuity and disaster recovery planning and resources systems and network security and monitoring physical security and environmental controls customer data privacy vendor and third party service provider management Incident response

14 Chief Information Security Officer and Cybersecurity Personnel CISO Individual responsible for overseeing and implementing the cybersecurity program and policy Can be employed by an affiliate or third party service provider of the covered entity Must report annually in writing to the Board of Directors Cybersecurity Personnel Must have sufficient cybersecurity training and updates Must verify that they take steps to maintain current knowledge of changing cybersecurity threats and measures 14

15 Annual penetration testing Penetration Testing, Vulnerability Assessments, Audit Trails and Risk Assessment Bi-annual vulnerability assessments Audit trails designed to: Reconstruct material financial transactions sufficient to support the covered entity s operations and Detect and respond to cybersecurity events that have a reasonable likelihood of materially harming the covered entity's operations Audit trails must be retained for 5 years Risk assessment must be performed periodically and updated to address changes to Information Systems, Nonpublic Information or business operations

16 Service Provider Policy, Data Retention and Encryption Service providers: Service provider policy must address minimum cybersecurity practices of vendors Due diligence Contractual representations and warranties Data retention limitations: Nonpublic Information should be disposed of periodically if it is no longer needed for business operations or other legitimate business purposes, unless required by law Encryption of Nonpublic Information at rest and in transit Compensating controls are permitted if reviewed and approved by the CISO

17 Must address such issues as: Incident Response Plan the internal processes for responding to a cybersecurity event the goals of the incident response plan the definition of clear roles, responsibilities and levels of decision-making authority external and internal communications and information sharing Identification of requirements for the remediation of any identified weaknesses in information systems and associated controls documentation and reporting regarding cybersecurity events and related incident response activities the evaluation and revision of the incident response plan following a cybersecurity event

18 Notification to DFS Covered entities must notify DFS within 72 hours of: Cybersecurity events of which notice is required to be provided to any government or self-regulatory or supervisory body; and Cybersecurity events that have a reasonable likelihood of materially harming any material part of the normal operations of the covered entity Covered entity must submit an annual certification of compliance with the regulations by February 15 of each year

19 How do the NY Cybersecurity Regulations compare to GLB? Greater specificity for information security program GLB must include administrative, physical and technical safeguards NY must address 14 specific areas Increased personnel requirements GLB must designate an employee or employees to coordinate information security program NY must have CISO and cybersecurity personnel

20 How do the NY Cybersecurity Regulations compare to GLB? Greater specificity and timing requirements for testing and assessments GLB not specified; based on risk assessment NY annual penetration testing and bi-annual vulnerability assessments Notifying regulators following an incident GLB as soon as possible NY within 72 hours

21 Path to Compliance Covered entities have 180 days to comply, with specified exceptions: 1 year to conduct penetration testing, vulnerability assessments, risk assessment and cybersecurity training 18 months to comply with audit trail, data retention and encryption requirements 2 years to develop third party service provider compliance program Covered entities should conduct a gap analysis to understand compliance gaps Remediation should focus first on issues with earlier compliance deadlines

22 Lisa J. Sotto Partner Chair, Privacy and Cybersecurity Practice Hunton & Williams LLP (212)

23

24 ABOUT ALLCLEAR ID WE HELP GREAT COMPANIES KEEP THEIR CUSTOMERS SAFE

25 CUSTOMER SECURITY REQUIREMENTS 78M Records 76M Records 5M Records 100TBs 78M Records 210K Records 24M Records 8M Records 40M Records 56M Records 114K Records 130M Records

26 REQUIREMENT FOR MULTI-FACTOR AUTHENTICATION

27 REQUIREMENT FOR MULTI-FACTOR AUTHENTICATION

28

29

30

31 BREACH REQUIRES A SPECIAL OPERATIONS TEAM

32 BUILDING A SUCCESSFUL PLAN 1 2 3

33 EXECUTING YOUR PLAN

34 HOW TO GET YOUR TEAM ENGAGED

35 QUESTIONS?

36