SPEAKERS
NYDFS Cybersecurity Regulations Lisa J. Sotto Hunton & Williams LLP (212) 309-1223 lsotto@hunton.com www.huntonprivacyblog.com March 9, 2017
The Privacy Team at Hunton & Williams Over 30 privacy professionals in the U.S., EU and Asia Our clients have included 6 of the Fortune 10 Representing clients across multiple industry sectors, including financial services, retail, consumer products, technology, advertising, transportation, publishing, energy, health care and pharmaceutical Centre for Information Policy Leadership at Hunton & Williams www.huntonprivacyblog.com @hunton_privacy 63834496 6
SWIFT Scottrade Morgan Stanley JPMorgan Chase Global Payments RBS Worldpay Key Financial Services Incidents 63834496 7
Roadmap Purpose and Scope of the Regulations Key Definitions Key Requirements Preparing for the Regulations 63834496 8
Purpose of the regulations Purpose and Scope of the Regulations Applies to covered entities that are required to operate under a license or charter under the NY banking, insurance or financial services law. Examples include: Banks chartered in NY Trust companies Money transmitters Mortgage brokers Does not apply to: National banks or banks chartered in other states Broker-dealers Federal credit unions 63834496 9
Key Definitions Cybersecurity Event Nonpublic Information Third Party Service Provider 63834496 10
Key Requirements Cybersecurity program Written cybersecurity policy, approved by senior officer or the Board CISO, to report to the Board Penetration testing, vulnerability assessments and audit trails Periodic risk assessments Service provider policy Limits on data retention Encryption Written incident response plan Notification to DFS for cybersecurity events and annual certification of compliance 63834496 11
Cybersecurity Program Cybersecurity program must be based on the covered entity s risk assessment and be designed to: identify and assess internal and external cybersecurity risks use defensive infrastructure and policies to protect the covered entity s information systems and data detect cybersecurity events respond to identified cybersecurity events recover and restore normal operations fulfill applicable regulatory reporting obligations 63834496 12
Written Cybersecurity Policy Covered entities must have a written policy based on a risk assessment Policy must be approved by a senior officer or the Board Must address such issues as: access controls and identity management business continuity and disaster recovery planning and resources systems and network security and monitoring physical security and environmental controls customer data privacy vendor and third party service provider management Incident response 64049663 13
Chief Information Security Officer and Cybersecurity Personnel CISO Individual responsible for overseeing and implementing the cybersecurity program and policy Can be employed by an affiliate or third party service provider of the covered entity Must report annually in writing to the Board of Directors Cybersecurity Personnel 63834496 Must have sufficient cybersecurity training and updates Must verify that they take steps to maintain current knowledge of changing cybersecurity threats and measures 14
Annual penetration testing Penetration Testing, Vulnerability Assessments, Audit Trails and Risk Assessment Bi-annual vulnerability assessments Audit trails designed to: Reconstruct material financial transactions sufficient to support the covered entity s operations and Detect and respond to cybersecurity events that have a reasonable likelihood of materially harming the covered entity's operations Audit trails must be retained for 5 years Risk assessment must be performed periodically and updated to address changes to Information Systems, Nonpublic Information or business operations 63834496 15
Service Provider Policy, Data Retention and Encryption Service providers: Service provider policy must address minimum cybersecurity practices of vendors Due diligence Contractual representations and warranties Data retention limitations: Nonpublic Information should be disposed of periodically if it is no longer needed for business operations or other legitimate business purposes, unless required by law Encryption of Nonpublic Information at rest and in transit Compensating controls are permitted if reviewed and approved by the CISO 63834496 16
Must address such issues as: Incident Response Plan the internal processes for responding to a cybersecurity event the goals of the incident response plan the definition of clear roles, responsibilities and levels of decision-making authority external and internal communications and information sharing Identification of requirements for the remediation of any identified weaknesses in information systems and associated controls documentation and reporting regarding cybersecurity events and related incident response activities the evaluation and revision of the incident response plan following a cybersecurity event 63834496 17
Notification to DFS Covered entities must notify DFS within 72 hours of: Cybersecurity events of which notice is required to be provided to any government or self-regulatory or supervisory body; and Cybersecurity events that have a reasonable likelihood of materially harming any material part of the normal operations of the covered entity Covered entity must submit an annual certification of compliance with the regulations by February 15 of each year 63834496 18
How do the NY Cybersecurity Regulations compare to GLB? Greater specificity for information security program GLB must include administrative, physical and technical safeguards NY must address 14 specific areas Increased personnel requirements GLB must designate an employee or employees to coordinate information security program NY must have CISO and cybersecurity personnel 63834496 19
How do the NY Cybersecurity Regulations compare to GLB? Greater specificity and timing requirements for testing and assessments GLB not specified; based on risk assessment NY annual penetration testing and bi-annual vulnerability assessments Notifying regulators following an incident GLB as soon as possible NY within 72 hours 63834496 20
Path to Compliance Covered entities have 180 days to comply, with specified exceptions: 1 year to conduct penetration testing, vulnerability assessments, risk assessment and cybersecurity training 18 months to comply with audit trail, data retention and encryption requirements 2 years to develop third party service provider compliance program Covered entities should conduct a gap analysis to understand compliance gaps Remediation should focus first on issues with earlier compliance deadlines 63834496 21
Lisa J. Sotto Partner Chair, Privacy and Cybersecurity Practice Hunton & Williams LLP (212) 309-1223 lsotto@hunton.com www.huntonprivacyblog.com 63834496 22
ABOUT ALLCLEAR ID WE HELP GREAT COMPANIES KEEP THEIR CUSTOMERS SAFE
CUSTOMER SECURITY REQUIREMENTS 78M Records 76M Records 5M Records 100TBs 78M Records 210K Records 24M Records 8M Records 40M Records 56M Records 114K Records 130M Records
REQUIREMENT FOR MULTI-FACTOR AUTHENTICATION
REQUIREMENT FOR MULTI-FACTOR AUTHENTICATION
BREACH REQUIRES A SPECIAL OPERATIONS TEAM
BUILDING A SUCCESSFUL PLAN 1 2 3
EXECUTING YOUR PLAN
HOW TO GET YOUR TEAM ENGAGED
QUESTIONS?