The two-year transitional period under the New York State Department of Financial Services (“DFS”) Cybersecurity Regulation, 23 NYCRR 500 (the “Regulation”), will expire on March 1, 2019, with the final remaining requirement becoming effective. Entities covered by the Regulation that utilize third party service providers, which include not only banks and insurers, but also other financial services institutions and licensees regulated by the DFS, will be required to implement third-party risk management programs by March 1.
Under the Regulation, all covered entities are required to have a robust cybersecurity program in place that is equipped to protect consumers’ private data including a written cybersecurity policy (or policies) that are approved by the Board of Directors or a Senior Officer; a qualified Chief Information Security Officer (“CISO”) responsible for overseeing and implementing the covered entity’s cybersecurity program and enforcing the cybersecurity policy; and controls in place to help “ensure the safety and soundness of New York’s financial services industry,” such as encryption and multifactor authentication. Any failure of a covered entity to have these regulatory requirements in place, with the exception of certain entities with limited exemptions, will constitute a violation of the Regulation.
In addition, the second annual February 15, 2019, Certification of Compliance, which requires companies to confirm compliance with various provisions under the Regulation that have already been implemented on a staggered implementation timeline since March 1, 2017, is fast approaching.
Third Party Service Provider Risk-Management Program
Under the final phase of the two-year transitional period, covered entities must implement written policies and procedures designed to ensure the security of information systems and non-public information from risk posed by third party service providers. The policies and procedures must be based on a risk assessment by the covered entity and address:
- The identification and risk assessment of the third parties;
- Minimum cybersecurity practices required of third parties;
- Due diligence processes used to evaluate the adequacy of third-party cybersecurity practices; and
- Periodic risk-based assessments of third parties.
Third party policies and procedures must include relevant guidelines for due diligence and/ or contractual protections, to the extent applicable, addressing:
- Third party’s access controls, including multi-factor authentication;
- Third party’s use of encryption;
- Notice to be provided to the covered entity in the event of a Cybersecurity Event;
- Representations and warranties addressing the third party’s cybersecurity policies; and procedures.
As noted above, on or before February 15, 2019, covered entities will be required to file a second annual Certification of Compliance covering the calendar year 2018. However, covered entities will not be required to certify their compliance with the Regulation’s third-party service provider risk management provisions until February 15, 2020.
The February 2019 certification will require covered entities to certify they have implemented the Regulation’s previously effective requirements relating to board oversight, periodic risk assessments, appropriate cybersecurity training for applicable personnel, penetration testing or continuous monitoring, multifactor authentication, a cybersecurity audit system, secure development practices for in-house developed applications, limitations on data retention, risk-based controls and encryption of non-public information. The DFS’s FAQs have made clear that it expects full compliance with the regulation and a covered entity that is not in full compliance with all applicable requirements should not submit a certification.
In addition, any covered entity that is entitled to an exemption must file a Notice of Exempt status by February 15, 2019, for the calendar year 2019 prior to filing the annual certification for calendar year 2018. This requirement applies even if a covered entity previously notified DFS of its exempt status, as the assessment of exemption status is an annual requirement.
On December 21, 2018, the DFS released a memorandum providing further guidance on compliance with the Regulation, which includes a reminder of the general requirements, DFS’s response to cybersecurity notifications that have been filed to date and its analysis of the types of incidents that have been reported pursuant to the notification requirement.
*Tristan Coughlin is admitted only in Washington, DC. Coughlin’s practice is supervised by principals of the firm admitted in Texas