June 13, 2017 NYDFS Cybersecurity Regulations: What do they mean? What is their impact? Gus Coldebella Principal, Boston Caroline Simons Principal, Boston
Agenda 1) Overview of the new regulations 2) Assessing their impact 3) How these regulations fit into the broader cybersecurity regulatory landscape 2
Overview of the New Regulations 3
Introduction New York Division of Financial Services (NYDFS) promulgated substantive, first-in-nation cybersecurity regulations Effective Date was March 1, 2017 Require assessment, evaluation, establishment, and implementation of a cybersecurity program to address cyber risks Protect customer and employee information Protect business information and IT systems Guard against disruption in business operations Augment and supplement the federal Gramm-Leach-Bliley Act (GLBA) 4
Who s Covered? Covered Entities: All individuals or non-governmental entities; Operating under authorization of New York s Banking Law, Insurance Law, or Financial Services Law But covered entities are exempt from certain provisions if they are: Small (< 10 Eees, < $5m revenue, or < $10m assets); Designees covered by other covered entities; No access to Nonpublic Information; or Captive insurance companies Not covered: Reinsurers, Risk Retention Groups, charitable annuity societies (e.g., colleges and universities) 23 NYCRR 500.19 5
Key Changes from Earlier Drafts Proposed Revised Final Sept. 13, 2016 Dec. 28, 2016 Feb. 16, 2017 Greater emphasis on role of Risk Assessment Incorporation of materiality standard Reducing frequency of certain requirements More comprehensive documentation requirements & audit provisions More customization + More flexibility (?) + More accountability 6
Diving In 7
Overview Personnel Reporting Risk Assessment & Cybersecurity Policy Documentation Third Parties 8
Key Definitions Affiliate defined by common control Cybersecurity Event any act or attempt (successful or unsuccessful) to gain unauthorized access to, disrupt or misuse an IS or information stored on IS Nonpublic Information all electronic information that is not Publicly Available Information and is: Business-related information, the compromise of which would cause material adverse impact to business, operations, or security Personally-Identifiable Information Protected Health Information Publicly Available Information information that one has a reasonable basis to believe is lawfully made available to general public 23 NYCRR 500.01 9
Personnel Reporting Risk Assessment & Cybersecurity Policy Documentation Third Parties 10
Conduct Risk Assessment (Start Here!) Conduct a periodic Risk Assessment sufficient to inform the design of the cybersecurity program. Must be conducted according to written policies and procedures Must be documented Must be updated as reasonably necessary to address changes Policies and procedures must cover: How to evaluate and categorize identified risks or threats; How to assess confidentiality, integrity, security, and availability of information systems and nonpublic information; How to decide whether to mitigate or accept risks; How cybersecurity program will address the risk. 23 NYCRR 500.09(b) 11
Maintain Cybersecurity Program Maintain Cybersecurity Program designed to protect confidentiality, integrity & availability of Information Systems (IS) Should be based off of Risk Assessment Program must be documented, and designed to: Identify cyber risks that threaten nonpublic information stored on IS; Use defensive infrastructure and implement policies to protect IS and nonpublic information stored on IS; Detect cybersecurity events; Respond to, and mitigate the effects of, cybersecurity events; Recover from cybersecurity events & restore normal operations; Fulfill regulatory reporting requirements. 23 NYCRR 500.02 12
Monitoring and Testing Cybersecurity program must include monitoring and testing (again, measured against the Risk Assessment), comprising: Continuous monitoring, OR Annual penetration testing AND bi-annual vulnerability assessments 23 NYCRR 500.05 13
Other Cybersecurity Measures Access Privileges Limit user access privileges to IS that provide access to Nonpublic Information 23 NYCRR 500.07 Assessments of Application Securities: Review, assess, and update procedures and guidelines concerning the security of IS applications. 23 NYCRR 500.05 Multi-Factor Authentication Use MFA or Risk-Based Authentication to protect against unauthorized access. 23 NYCRR 500.12 Limitations on Data Retention Periodic, secure disposal of Nonpublic Information that is no longer necessary for business operations/purpose 23 NYCRR 500.13 Encryption of Nonpublic Information Encrypt, if feasible, Nonpublic Information held or transmitted, both in transit over external networks and at rest. 23 NYCRR 500.15 14
Create an Incident Response Plan Must create a written incident response plan designed to promptly respond to, and recover from, any cybersecurity event materially affecting the confidentiality, integrity, or availability of: covered entity s IS, or continuing functionality of any aspect of business or operations. Plan must address: (1) internal processes for responding to cybersecurity event; (2) goals of the incident response plan; (3) definition of clear roles, responsibilities & levels of decision-making authority; (4) external and internal communications and information sharing; (5) identification of requirements for the remediation of identified weaknesses in IS and associated controls; (6) documentation and reporting regarding cybersecurity events; and (7) evaluation and revision of plan following a cybersecurity event. 23 NYCRR 500.16 15
Implement and Maintain Cybersecurity Policy Implement and maintain a written cybersecurity policy Approved by Senior Officer or Board of Directors Sets forth the cybersecurity program for the protection of IS and the Nonpublic Information stored on IS Again, based on the Risk Assessment 23 NYCRR 500.03 16
Implement and Maintain Cybersecurity Policy Data Information security Data governance & classification Customer data privacy Systems and Network Access controls and identity management Ops & availability Security Monitoring App development & quality assurance Physical security and env. controls Business Operations Vendor and 3 rd party management Risk assessment Incident Response 17
Personnel Reporting Risk Assessment & Cybersecurity Policy Documentation Third Parties 18
Designate a Chief Information Security Officer Designate a CISO to oversee and implement the cybersecurity program and enforce the cybersecurity policy May be employed by Covered Entity, affiliate, or 3 rd party provider CISO to report in writing at least annually to Board of Directors Report shall cover: 1) Confidentiality of Nonpublic Information and integrity and security of IS 2) Cybersecurity policy and procedures 3) Material cybersecurity risks 4) Overall effectiveness of cybersecurity program 5) Material cybersecurity events involving the Covered Entity during the reporting time period 23 NYCRR 500.04 19
Other Regulations re: Personnel Monitoring implement risk-based policies, procedures and controls designed to monitor the activity of Authorized Users and detect unauthorized access or use of, or tampering with, Nonpublic Information by such Authorized users 23 NYCRR 500.14(a) 20
Other Regulations re: Personnel Utilization Utilize qualified cybersecurity personnel to manage cybersecurity functions and manage risk Training Provide cybersecurity personnel with updates and training sufficient to address risk Provide all personnel with updated cybersecurity awareness training Verification Verify that cybersecurity personnel take steps to maintain current knowledge of cybersecurity threats and countermeasures Cybersecurity personnel may be employees or employees of affiliates or 3 rd party providers 23 NYCRR 500.10, 500.14 21
Personnel Reporting Risk Assessment & Cybersecurity Policy Documentation Third Parties 22
Reporting: 72-Hour Notice Rule Covered entity must inform DFS of cybersecurity event within 72 hours from a determination that a Cybersecurity Event occurred, if the event is: a cybersecurity event for which notice is required to any other government or self-regulatory agency; or a cybersecurity event that has a reasonable likelihood of materially harming any material part of the normal operation(s) of the covered entity. 23 NYCRR 500.17(a) 23
Reporting: Annual Written Statement Covered entity must submit to the superintendent annual written statement covering the prior calendar year, certifying compliance. All records to be maintained for 5 years for potential examination by DFS 23 NYCRR 500.17(b) 24
Personnel Reporting Risk Assessment & Cybersecurity Policy Documentation Third Parties 25
Audit Trail Covered entities must maintain systems: Designed to reconstruct material financial transactions sufficient to support normal operations and obligations That include audit trails designed to detect and respond to cybersecurity events 23 NYCRR 500.06 26
Required Documentation Generally Risk Assessment Documentation relevant to Cybersecurity Program Cybersecurity Policy In-house Application Development procedures and standards CISO written report Third Party Policy 3 years Audit trails 5 years Records supporting annual certificate of compliance Material remedial or improvement measures for systems as required Reconstruction of material financial transactions 27
Overview Personnel Reporting Risk Assessment & Cybersecurity Policy Documentation Third Parties 28
Regulation of Third Parties Covered entities are required to develop and implement written policies and procedures to ensure security of IS or Nonpublic Information that can be accessed by their vendors and other third parties. Two requirements of covered entities: Must assess risks arising from third party access; and Enforce data security guidelines and protocols on all vendors and business partners handling IS and nonpublic information through due diligence and/or contractual agreements 23 NYCRR 500.11 29
The Immediate Impact 30
Key Dates Date Aug. 28, 2017 Requirements Cybersecurity Program Cybersecurity Policy Designation of CISO Access Privileges Cybersecurity Personnel & Intel Incident Response Plan Sept. 27, 2017 Feb. 15, 2018 Notice of Exemption deadline First Annual Certification of Compliance Mar. 1, 2018 Risk Assessment Training Program CISO Report to Board Multi-Factor Authentication Pen Testing & Vulnerability Assessments Sept. 1, 2018 Audit Trail Monitoring Program Application Security Limitations on Data Retention Encryption of Nonpublic Information Mar. 1, 2019 Third Party Service Provider Security Policy 31
Where Is This All Going? 32
Where Is This All Going? Regulation via Enforcement vs. Prescriptive Regulations vs. Standards and Frameworks Voluntary vs. Mandatory The Patchwork Problem NY is likely one of many Financial services sector is also one of many The Trickle-Down Effect the rise of market and private law Liability Shield? Litigation and Enforcement 33
Questions? 34
Thank you! Gus Coldebella Principal Boston, D.C. 617-521-7033 coldebella@fr.com @g_co Caroline Simons Principal Boston, New York 617-956-5907 simons@fr.com @carosim Please send your NY CLE forms or questions about the webinar to marketing at lundberg@fr.com. A replay of the webinar will be available for viewing at http://fishlitigationblog.com. 35
Copyright 2017 Fish & Richardson P.C. These materials may be considered advertising for legal services under the laws and rules of professional conduct of the jurisdictions in which we practice. The material contained in this presentation has been gathered by the lawyers at Fish & Richardson P.C. for informational purposes only, is not intended to be legal advice and does not establish an attorney-client relationship. Legal advice of any nature should be sought from legal counsel. Unsolicited e-mails and information sent to Fish & Richardson P.C. will not be considered confidential and do not create an attorney-client relationship with Fish & Richardson P.C. or any of our attorneys. Furthermore, these communications and materials may be disclosed to others and may not receive a response. If you are not already a client of Fish & Richardson P.C., do not include any confidential information in this message. For more information about Fish & Richardson P.C. and our practices, please visit www.fr.com. #1 Patent Litigation Firm (Corporate Counsel, 2004 2016) 36