NYDFS Cybersecurity Regulations: What do they mean? What is their impact?

Similar documents
New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE

NYDFS Cybersecurity Regulations

NYS DFS Cybersecurity Requirements. Stephen Head Senior Manager Risk Advisory Services

NY DFS Cybersecurity Regulations August 8, 2017

Mark Your Calendars: NY Cybersecurity Regulations to Go into Effect

New York DFS Cybersecurity Regulation:

Cybersecurity requirements for financial services companies

New York Cybersecurity. New York Cybersecurity. Requirements for Financial Services Companies (23NYCRR 500) Solution Brief

Cybersecurity and Data Protection Developments

NY State s Cybersecurity Legislation Requirements for Risk Management, Security of Applications, and the Appointed CISO

New York s Cybersecurity Regulations for Financial Institutions & Health Care

FRAMEWORKING COMPLIANCE. NYDFS Cyber Regs: BIG I. Longtime Moniker Becomes Official Name for N.Y. & N.J...PAGE 34 GUIDE TO PAID FAMILY LEAVE INSIDE!

COMMENTARY. Federal Banking Agencies Propose Enhanced Cyber Risk Management Standards

Financial Regulations, Enforcement & Cybersecurity

Wall Street LAWYER NYDFS: FIRST-IN-THE- NATION CYBERSECURITY PROPOSAL. Securities in the Electronic Age IN THIS ISSUE: October 2016 Volume 19 Issue 10

DFARS Cyber Rule Considerations For Contractors In 2018

Overview Bank IT examination perspective Background information Elements of a sound plan Customer notifications

Cybersecurity: Federalism as Defense-in-Depth

Google Cloud & the General Data Protection Regulation (GDPR)

Checklist: Credit Union Information Security and Privacy Policies

Gramm Leach Bliley Act 15 U.S.C GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev.

Regulation P & GLBA Training

encrypted, and that all portable devices (laptops, phones, thumb drives, etc.) be encrypted while in use and while at rest?

Post-Secondary Institution Data-Security Overview and Requirements

Mapping Cyber-Protections to Regulatory Requirements for Fintech

300 Riverview Plaza Odysseus Marcopolus, Chief Operating Officer Trenton, NJ POLICY NO: SUPERSEDES: N/A VERSION: 1.0

2018 Data Security Incident Response Report Building Cyber Resilience: Compromise Response Intelligence in Action

SEC Issues Updated Guidance on Cybersecurity Disclosure

Privacy Statement. Your privacy and trust are important to us and this Privacy Statement ( Statement ) provides important information

Cyber Security Program

Information Technology Security Plan Policies, Controls, and Procedures Identify Governance ID.GV

Aon Service Corporation Law Global Privacy Office. Aon Client Data Privacy Summary

Information for entity management. April 2018

Addressing penetration testing and vulnerabilities, and adding verification measures

Cyber Risks in the Boardroom Conference

STRENGTHENING THE CYBERSECURITY OF FEDERAL NETWORKS AND CRITICAL INFRASTRUCTURE

Protecting your data. EY s approach to data privacy and information security

Stephanie Zierten Associate Counsel Federal Reserve Bank of Boston

Red Flags/Identity Theft Prevention Policy: Purpose

SECURITY & PRIVACY DOCUMENTATION

Cyber Risks, Coverage, and the Board of Directors.

EEI Fall 2008 Legal Conference Boston, Massachusetts Stephen M. Spina November 1,

TIPS FOR FORGING A BETTER WORKING RELATIONSHIP BETWEEN COUNSEL AND IT TO IMPROVE CYBER-RESPONSE

CLE Alabama. Banking Law Update. Embassy Suites Hoover Hotel Birmingham, Alabama Friday, February 19, 2016

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

Standard CIP Cyber Security Critical Cyber Asset Identification

The Impact of Cybersecurity, Data Privacy and Social Media

EU GDPR & NEW YORK CYBERSECURITY REQUIREMENTS 3 KEYS TO SUCCESS

Lakeshore Technical College Official Policy

Standard CIP Cyber Security Critical Cyber Asset Identification

2018 WTA Spring Meeting Are You Ready for a Breach? Troy Hawes, Senior Manager

Oracle Data Cloud ( ODC ) Inbound Security Policies

This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective.

Development Authority of the North Country Governance Policies

Data Security and Breach Notification Legislative Update: What You Need to Know (SESSION CODE CRM001)

Security Breaches: How to Prepare and Respond

UTAH VALLEY UNIVERSITY Policies and Procedures

ADIENT VENDOR SECURITY STANDARD

Critical Cyber Asset Identification Security Management Controls

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110

Ohio Supercomputer Center

Secure Messaging Mobile App Privacy Policy. Privacy Policy Highlights

UT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES

POSTMARKET MANAGEMENT OF CYBERSECURITY IN MEDICAL DEVICES FINAL GUIDANCE MARCH 29, TH ANNUAL MEDICAL DEVICE QUALITY CONGRESS

AUDIT REPORT. Network Assessment Audit Audit Opinion: Needs Improvement. Date: December 15, Report Number: 2014-IT-03

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

The Common Controls Framework BY ADOBE

2017 RIMS CYBER SURVEY

Policies and Procedures Date: February 28, 2012

Information Technology General Control Review

SAC PA Security Frameworks - FISMA and NIST

Protect Your Institution with Effective Cybersecurity Governance. Baker Tilly Virchow Krause, LLP

GDPR: A QUICK OVERVIEW

Government Privacy. Julie Smith McEwen, CIPP/G, CISSP Principal Information Systems Privacy and Security Engineer

Q&A for Citco Fund Services clients The General Data Protection Regulation ( GDPR )

Putting It All Together:

COMMENTARY. Information JONES DAY

Subject: University Information Technology Resource Security Policy: OUTDATED

Standard CIP Cyber Security Systems Security Management

PROCEDURE COMPREHENSIVE HEALTH SERVICES, INC

Legal, Ethical, and Professional Issues in Information Security

ISO / IEC 27001:2005. A brief introduction. Dimitris Petropoulos Managing Director ENCODE Middle East September 2006

UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY October 25, 2017

Cybersecurity and Data Privacy

Protecting Personally Identifiable Information (PII) Privacy Act Training for Housing Counselors

Data Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory

Canada Life Cyber Security Statement 2018

This Webcast Will Begin Shortly

UCOP ITS Systemwide CISO Office Systemwide IT Policy

Department of Veterans Affairs VA DIRECTIVE April 17, 2006 WEB PAGE PRIVACY POLICY

Keeping It Under Wraps: Personally Identifiable Information (PII)

Policy Document. PomSec-AllSitesBinder\Policy Docs, CompanyWide\Policy

The HIPAA Omnibus Rule

Virginia Commonwealth University School of Medicine Information Security Standard

STOP FREAKING OUT. A short, simple guide to tackle the New York Department of Financial Services Cyber Regulations

Performing a Vendor Security Review TCTC 2017 FALL EVENT PRESENTER: KATIE MCINTOSH

1. Post for 45-day comment period and pre-ballot review. 7/26/ Conduct initial ballot. 8/30/2010

Standard Development Timeline

Transcription:

June 13, 2017 NYDFS Cybersecurity Regulations: What do they mean? What is their impact? Gus Coldebella Principal, Boston Caroline Simons Principal, Boston

Agenda 1) Overview of the new regulations 2) Assessing their impact 3) How these regulations fit into the broader cybersecurity regulatory landscape 2

Overview of the New Regulations 3

Introduction New York Division of Financial Services (NYDFS) promulgated substantive, first-in-nation cybersecurity regulations Effective Date was March 1, 2017 Require assessment, evaluation, establishment, and implementation of a cybersecurity program to address cyber risks Protect customer and employee information Protect business information and IT systems Guard against disruption in business operations Augment and supplement the federal Gramm-Leach-Bliley Act (GLBA) 4

Who s Covered? Covered Entities: All individuals or non-governmental entities; Operating under authorization of New York s Banking Law, Insurance Law, or Financial Services Law But covered entities are exempt from certain provisions if they are: Small (< 10 Eees, < $5m revenue, or < $10m assets); Designees covered by other covered entities; No access to Nonpublic Information; or Captive insurance companies Not covered: Reinsurers, Risk Retention Groups, charitable annuity societies (e.g., colleges and universities) 23 NYCRR 500.19 5

Key Changes from Earlier Drafts Proposed Revised Final Sept. 13, 2016 Dec. 28, 2016 Feb. 16, 2017 Greater emphasis on role of Risk Assessment Incorporation of materiality standard Reducing frequency of certain requirements More comprehensive documentation requirements & audit provisions More customization + More flexibility (?) + More accountability 6

Diving In 7

Overview Personnel Reporting Risk Assessment & Cybersecurity Policy Documentation Third Parties 8

Key Definitions Affiliate defined by common control Cybersecurity Event any act or attempt (successful or unsuccessful) to gain unauthorized access to, disrupt or misuse an IS or information stored on IS Nonpublic Information all electronic information that is not Publicly Available Information and is: Business-related information, the compromise of which would cause material adverse impact to business, operations, or security Personally-Identifiable Information Protected Health Information Publicly Available Information information that one has a reasonable basis to believe is lawfully made available to general public 23 NYCRR 500.01 9

Personnel Reporting Risk Assessment & Cybersecurity Policy Documentation Third Parties 10

Conduct Risk Assessment (Start Here!) Conduct a periodic Risk Assessment sufficient to inform the design of the cybersecurity program. Must be conducted according to written policies and procedures Must be documented Must be updated as reasonably necessary to address changes Policies and procedures must cover: How to evaluate and categorize identified risks or threats; How to assess confidentiality, integrity, security, and availability of information systems and nonpublic information; How to decide whether to mitigate or accept risks; How cybersecurity program will address the risk. 23 NYCRR 500.09(b) 11

Maintain Cybersecurity Program Maintain Cybersecurity Program designed to protect confidentiality, integrity & availability of Information Systems (IS) Should be based off of Risk Assessment Program must be documented, and designed to: Identify cyber risks that threaten nonpublic information stored on IS; Use defensive infrastructure and implement policies to protect IS and nonpublic information stored on IS; Detect cybersecurity events; Respond to, and mitigate the effects of, cybersecurity events; Recover from cybersecurity events & restore normal operations; Fulfill regulatory reporting requirements. 23 NYCRR 500.02 12

Monitoring and Testing Cybersecurity program must include monitoring and testing (again, measured against the Risk Assessment), comprising: Continuous monitoring, OR Annual penetration testing AND bi-annual vulnerability assessments 23 NYCRR 500.05 13

Other Cybersecurity Measures Access Privileges Limit user access privileges to IS that provide access to Nonpublic Information 23 NYCRR 500.07 Assessments of Application Securities: Review, assess, and update procedures and guidelines concerning the security of IS applications. 23 NYCRR 500.05 Multi-Factor Authentication Use MFA or Risk-Based Authentication to protect against unauthorized access. 23 NYCRR 500.12 Limitations on Data Retention Periodic, secure disposal of Nonpublic Information that is no longer necessary for business operations/purpose 23 NYCRR 500.13 Encryption of Nonpublic Information Encrypt, if feasible, Nonpublic Information held or transmitted, both in transit over external networks and at rest. 23 NYCRR 500.15 14

Create an Incident Response Plan Must create a written incident response plan designed to promptly respond to, and recover from, any cybersecurity event materially affecting the confidentiality, integrity, or availability of: covered entity s IS, or continuing functionality of any aspect of business or operations. Plan must address: (1) internal processes for responding to cybersecurity event; (2) goals of the incident response plan; (3) definition of clear roles, responsibilities & levels of decision-making authority; (4) external and internal communications and information sharing; (5) identification of requirements for the remediation of identified weaknesses in IS and associated controls; (6) documentation and reporting regarding cybersecurity events; and (7) evaluation and revision of plan following a cybersecurity event. 23 NYCRR 500.16 15

Implement and Maintain Cybersecurity Policy Implement and maintain a written cybersecurity policy Approved by Senior Officer or Board of Directors Sets forth the cybersecurity program for the protection of IS and the Nonpublic Information stored on IS Again, based on the Risk Assessment 23 NYCRR 500.03 16

Implement and Maintain Cybersecurity Policy Data Information security Data governance & classification Customer data privacy Systems and Network Access controls and identity management Ops & availability Security Monitoring App development & quality assurance Physical security and env. controls Business Operations Vendor and 3 rd party management Risk assessment Incident Response 17

Personnel Reporting Risk Assessment & Cybersecurity Policy Documentation Third Parties 18

Designate a Chief Information Security Officer Designate a CISO to oversee and implement the cybersecurity program and enforce the cybersecurity policy May be employed by Covered Entity, affiliate, or 3 rd party provider CISO to report in writing at least annually to Board of Directors Report shall cover: 1) Confidentiality of Nonpublic Information and integrity and security of IS 2) Cybersecurity policy and procedures 3) Material cybersecurity risks 4) Overall effectiveness of cybersecurity program 5) Material cybersecurity events involving the Covered Entity during the reporting time period 23 NYCRR 500.04 19

Other Regulations re: Personnel Monitoring implement risk-based policies, procedures and controls designed to monitor the activity of Authorized Users and detect unauthorized access or use of, or tampering with, Nonpublic Information by such Authorized users 23 NYCRR 500.14(a) 20

Other Regulations re: Personnel Utilization Utilize qualified cybersecurity personnel to manage cybersecurity functions and manage risk Training Provide cybersecurity personnel with updates and training sufficient to address risk Provide all personnel with updated cybersecurity awareness training Verification Verify that cybersecurity personnel take steps to maintain current knowledge of cybersecurity threats and countermeasures Cybersecurity personnel may be employees or employees of affiliates or 3 rd party providers 23 NYCRR 500.10, 500.14 21

Personnel Reporting Risk Assessment & Cybersecurity Policy Documentation Third Parties 22

Reporting: 72-Hour Notice Rule Covered entity must inform DFS of cybersecurity event within 72 hours from a determination that a Cybersecurity Event occurred, if the event is: a cybersecurity event for which notice is required to any other government or self-regulatory agency; or a cybersecurity event that has a reasonable likelihood of materially harming any material part of the normal operation(s) of the covered entity. 23 NYCRR 500.17(a) 23

Reporting: Annual Written Statement Covered entity must submit to the superintendent annual written statement covering the prior calendar year, certifying compliance. All records to be maintained for 5 years for potential examination by DFS 23 NYCRR 500.17(b) 24

Personnel Reporting Risk Assessment & Cybersecurity Policy Documentation Third Parties 25

Audit Trail Covered entities must maintain systems: Designed to reconstruct material financial transactions sufficient to support normal operations and obligations That include audit trails designed to detect and respond to cybersecurity events 23 NYCRR 500.06 26

Required Documentation Generally Risk Assessment Documentation relevant to Cybersecurity Program Cybersecurity Policy In-house Application Development procedures and standards CISO written report Third Party Policy 3 years Audit trails 5 years Records supporting annual certificate of compliance Material remedial or improvement measures for systems as required Reconstruction of material financial transactions 27

Overview Personnel Reporting Risk Assessment & Cybersecurity Policy Documentation Third Parties 28

Regulation of Third Parties Covered entities are required to develop and implement written policies and procedures to ensure security of IS or Nonpublic Information that can be accessed by their vendors and other third parties. Two requirements of covered entities: Must assess risks arising from third party access; and Enforce data security guidelines and protocols on all vendors and business partners handling IS and nonpublic information through due diligence and/or contractual agreements 23 NYCRR 500.11 29

The Immediate Impact 30

Key Dates Date Aug. 28, 2017 Requirements Cybersecurity Program Cybersecurity Policy Designation of CISO Access Privileges Cybersecurity Personnel & Intel Incident Response Plan Sept. 27, 2017 Feb. 15, 2018 Notice of Exemption deadline First Annual Certification of Compliance Mar. 1, 2018 Risk Assessment Training Program CISO Report to Board Multi-Factor Authentication Pen Testing & Vulnerability Assessments Sept. 1, 2018 Audit Trail Monitoring Program Application Security Limitations on Data Retention Encryption of Nonpublic Information Mar. 1, 2019 Third Party Service Provider Security Policy 31

Where Is This All Going? 32

Where Is This All Going? Regulation via Enforcement vs. Prescriptive Regulations vs. Standards and Frameworks Voluntary vs. Mandatory The Patchwork Problem NY is likely one of many Financial services sector is also one of many The Trickle-Down Effect the rise of market and private law Liability Shield? Litigation and Enforcement 33

Questions? 34

Thank you! Gus Coldebella Principal Boston, D.C. 617-521-7033 coldebella@fr.com @g_co Caroline Simons Principal Boston, New York 617-956-5907 simons@fr.com @carosim Please send your NY CLE forms or questions about the webinar to marketing at lundberg@fr.com. A replay of the webinar will be available for viewing at http://fishlitigationblog.com. 35

Copyright 2017 Fish & Richardson P.C. These materials may be considered advertising for legal services under the laws and rules of professional conduct of the jurisdictions in which we practice. The material contained in this presentation has been gathered by the lawyers at Fish & Richardson P.C. for informational purposes only, is not intended to be legal advice and does not establish an attorney-client relationship. Legal advice of any nature should be sought from legal counsel. Unsolicited e-mails and information sent to Fish & Richardson P.C. will not be considered confidential and do not create an attorney-client relationship with Fish & Richardson P.C. or any of our attorneys. Furthermore, these communications and materials may be disclosed to others and may not receive a response. If you are not already a client of Fish & Richardson P.C., do not include any confidential information in this message. For more information about Fish & Richardson P.C. and our practices, please visit www.fr.com. #1 Patent Litigation Firm (Corporate Counsel, 2004 2016) 36

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback