On March 1, 2018, the New York Department of Financial Services (NYDFS) “cybersecurity regulations” (23 NYCRR Part 500) took effect, placing a number of cybersecurity requirements on banks, insurance companies, and other financial services institutions and licensees regulated by the NYDFS (“Covered Entities”).

To aid in compliance with the regulation, the NYDFS recently added new guidance regarding Covered Entitles to its Frequently Asked Questions. The FAQs were last updated in December 2017, and the revisions include four new questions, which are summarized below:

  1. Are Exempt Mortgage Servicers Covered Entities under 23 NYCRR 500?

An Exempt Mortgage Servicer “will not fit the definition of a Covered Entity…” However, the NYDFS “strongly encourages all financial institutions, including exempt Mortgage Servicers, to adopt cybersecurity protections consistent with the safeguards and protections of 23 NYCRR Part 500.”

  1. Are Not-for-profit Mortgage Brokers Covered Entities under 23 NYCRR 500?

Yes. Not-for-profit Mortgage Brokers are Covered Entities under 23 NYCRR 500.

  1. Do Covered Entities have any obligations when acquiring or merging with a new company?

 NYDFS provides the following guidance regarding mergers and acquisitions: “When Covered Entities are acquiring or merging with a new company, Covered Entities will need to do a factual analysis of how [various regulatory requirements] apply to a particular acquisition. Some important considerations include, but are not limited to, the type of business of the target company, the target company’s risk for cybersecurity including its availability of personally identifiable information, the safety and soundness of the Covered Entity, and the integration of data systems.” NYDFS also emphasizes the need to have a serious due diligence process with cybersecurity being a serious priority throughout the acquisition process.

  1. Are Health Maintenance Organizations (HMOs) and continuing care retirement communities (CCRCs) Covered Entities?

Yes. Both HMOs and CCRCs are Covered Entities. As detailed in new FAQ 4, HMOs and CCRCs are Covered Entities subject to DFS authority by virtue of New York’s Public Health and Insurance laws.

The NYDFS Cybersecurity FAQs are available here.

On March 1, 2018, the one year transition period within which banks, insurance companies, and other financial services institutions and licensees regulated by the New York Department of Financial Services (“Covered Entities”)  must have implemented a cybersecurity program ends. By March 1, the Covered Entities must be in compliance with the following requirements:

23 NYCRR 500 §§:

  • 04(b): Chief Information Security Officer (“CISO”) – Each Covered Entity must have designated a qualified individual responsible for overseeing and implementing the Covered Entity’s cybersecurity program and enforcing its cybersecurity policy. The CISO of each Covered Entity shall report in writing at least annually to the Covered Entity’s board of directors or equivalent governing body. The CISO shall report on the Covered Entity’s cybersecurity program and material cybersecurity risks.
  • 05:  Penetration Testing and Vulnerability Assessments – The cybersecurity program for each Covered Entity shall include monitoring and testing, developed in accordance with the Covered Entity’s risk assessment. The monitoring and testing shall include continuous monitoring or periodic penetration testing and vulnerability assessment.
  • 09: Risk Assessment – Each Covered Entity shall conduct a periodic risk assessment of the Covered Entity’s information systems sufficient to inform the design of the cybersecurity program as required by this part. The risk assessment shall be carried out in accordance with written policies and procedures and shall be documented.
  • 12: Multi-Factor Authentication –  Based on its risk assessment, each Covered Entity shall use effective controls, which may include multi-factor authentication or risk-based authentication, to protect against unauthorized access. Multi-factor authentication shall be used for any individual accessing the Covered Entity’s internal networks from an external network.
  • 14(b): Training and Mentoring – Each Covered Entity shall provide regular cybersecurity awareness training for all personnel that is updated to reflect risks identified by the Covered Entity in its risk assessment.

A PDF containing detailed descriptions for each requirement is found here.

On February 15, 2018—that is, today—banks, insurance companies and other financial services institutions and licensees regulated by the New York Department of Financial Services (DFS) are required to file their first certification of compliance with DFS’s far reaching cybersecurity regulation (23 NYCRR Part 500) (the “Regulation”).

The Regulation, which became effective on March 1, 2017, is touted as being the first cybersecurity regulation in the nation, requiring significant operational, technology and reporting changes in order for entities covered by the Regulation (Covered Entities) to comply. Covered Entities are required to electronically file a certification statement through the DFS cybersecurity portal confirming the company’s cybersecurity program met the Regulation’s requirements for the prior calendar year. The deadline is today. Have you filed?

For more information on the Regulation and additional upcoming deadlines, click here.

On March 1, 2017, New York’s Cybersecurity Regulation (23 NYCRR Part 500)[1] became effective.  The regulation is the first of its kind in the nation and requires certain companies, including banks, insurance companies and other financial services institutions regulated by the Department of Financial Services (“Covered Entities”), to have:

  • a cybersecurity program designed to protect consumers’ private data;
  • a written policy or policies that are approved by the Board of Directors or a senior officer;
  • a Chief Information Security Officer to help protect data and systems; and
  • in place controls and plans to help ensure the safety and soundness of New York’s financial services industry.[2]

In addition, pursuant to the regulation, Covered Entities must report a cybersecurity event if (a) the event impacts the Covered Entity and notice of it is required to be provided to any government body, self-regulatory agency or any other supervisory body; or (b) the event has a reasonable likelihood of materially harming any material part of the normal operation(s) of the Covered Entity.  Details regarding what makes up such an event are detailed on the New York Department of Financial Services website.[3]  Continue Reading Compliance With New York’s Cybersecurity Regulation 23 NYCRR Part 500

We have previously reported about the upcoming New York Financial Services Cybersecurity Regulations [view related posts here and here]. On February 16, 2017, Governor Andrew M. Cuomo announced that “the first-in the-nation cybersecurity regulation to protect New York’s financial services industry and consumers from the ever-growing threat of cyber-attacks will take effect on March 1, 2017.”

The regulation is being touted by New York officials as being a “risk based” regulation, which requires financial services companies regulated by the New York State Department of Financial Services (DFS) to comply by implementing a cybersecurity program that will prevent and avoid cyber breaches.

In addition, the regulation requires that the top levels of the company instill a culture of compliance into the organization and be responsible for the cybersecurity program, including certifying compliance to the Superintendent on an annual basis.

The regulation has specific requirements that must be included in the cybersecurity program, including designating a Chief Information Security Officer and appropriate oversight of the program.

The Superintendent of DFS will enforce the regulations. The regulations go into effect on March 1, 2017, and covered entities will be required to annually prepare and submit a Certification of Compliance with the Superintendent starting February 15, 2018.

The New York Department of Financial Services announced last week that it will revise and delay the effective date of its proposed cybersecurity regulation. The announcement came two days after New York bankers brought up a number of criticisms of the proposed rules at a hearing before the state’s Standing Committee on Banks.

At the hearing, bankers lamented that the proposed regulation will prove too burdensome to implement, particularly for small community banks. Continue Reading Bank Objections Play Key Role in Delay of New York Cybersecurity Regulation

The New York Department of Financial Services (NYDFS) will delay the effective date of their proposed cybersecurity regulation until March 1, 2017. A new draft of the proposed regulation will be published on December 28, 2016, with an anticipated 30 day comment period. The original proposed regulation met with significant resistance, including reportedly more than 150 comment letters. Many of the comments identified the proposed regulation as highly prescriptive and lacking of allowance for Covered Entities to make risk-based decisions on certain important technology matters. Additionally, a number of comments requested the ability to distinguish between small and large Covered Entities in structuring cybersecurity programs based on size and risk. A number of the comments also expressed concern that inconsistencies with federal and other state regulations, which are anticipated in the future, would make compliance highly complicated. Nevertheless, a number of comments expressed agreement with the Department’s goal of improving cybersecurity programs overall. If the original 180 days for Covered Entities to come into compliance with the regulation is maintained, August 28, 2017, will be a crucial date. It is not known whether the Department will extend the January 15, 2018, date for Certification of compliance with the regulation.

The New York State Department of Financial Services (NYDFS) recently published the results of its cybersecurity survey of more than 150 regulated small, medium, and large banking organizations. The survey asked for information the bank’s use and management of third-party service vendors with access to sensitive information. In particular, the survey asked banks whether they conducted initial or periodic due diligence assessments of third-party vendors, and what measures vendors took to safeguard sensitive information and/or to protect against loss due to security incidents. Less than half of the banks surveyed required due diligence assessments of potential third-party vendors prior to a contract. About one-third conducted periodic assessments during the term of the vendor’s contract. A third of the respondents did not require the vendor to notify them in the event of a security incident or breach.

NYDFS announced it will use the results to help it develop and adopt threshold cybersecurity standards for regulated banking organizations and their vendors. The anticipated standards will likely include due diligence, suggested or mandated vendor cybersecurity representations and warranties as well as a reporting mandate on security incidents.

Regulators, including NYDFS, continue to focus on requiring minimum cybersecurity standards to be in place when companies provide third-party vendors access to their IT systems and sensitive data. These minimum standards target identified areas of risk and are intended to reduce the number and severity of a cybersecurity incident. The particular focus on third party vendors reflects the recognition that a number of recent large scale breaches, such as those  suffered Target and Home Depot,  occurred in whole or part because credentials of a third-party vendor were apparently stolen.

NYDFS’ survey results are available in the report “Update on Cyber Security in the Banking Sector: Third Party Service Providers,” which updates its 2014 “Report on Cybersecurity in the Banking Sector” that emphasized bank’s widespread reliance on third party vendors for important banking functions, such as trading and settlement operations, check and payment processing.

NYDFS is the principal regulator for state-licensed and state-chartered financial entities and other financial institutions operating in the State of New York, as well as insurance companies.

A growing number of states have enacted laws this year to study artificial intelligence (AI), ahead of possible legislative action to address expected threats to jobs, civil liberties, and property rights with the emerging technology. The specific goals of these committees have varied. For instance, Minnesota is studying how intelligence sharing with AI might enable law enforcement lead to civil liberty violations while North Dakota is considering how the technology could affect matters ranging from the job market to the 2024 elections. Perhaps leading the pack, Vermont released a detailed inventory of the AI currently deployed in its state government. The state plans to use this information to develop a robust AI ethics board and audit procedures to protect the rights of Vermont citizens amidst future AI developments.

Industry-specific guidance has begun to emerge as well. For instance, many state insurance regulators are weighing in on “novel data sources,” or non-traditional data points that insurers may use to inform underwriting decisions. These data sources may include everything from educational attainment to social media presence. Regulators are coming to different conclusions on the matter, though. For instance, proposed Colorado Insurance Commissioner guidance regulates motor vehicle reports and criminal history external as novel data sources, while guidance from New York’s Department of Financial Services does not. 

Businesses seeking to leverage AI’s transformative power will need to keep a close eye on these developments, and wise companies may consider proactively forming an AI governance committee.

Pretty much the only time I don’t feel like I am Chicken Little predicting a massive cyber-attack is when I am with my colleagues at the FBI, Secret Service, NSA and my students in the Brown Executive Masters of Cybersecurity who are members of the military. They don’t respond to my thoughts and fears of cyber-attacks with a cocked head or raised eyebrow like everyone else in my life.

I am concerned that at some point in the future, we will experience a massive cyber-attack that may affect critical infrastructure that we depend on every day. It will not be total and complete. There won’t be a large loss of lives. It will not affect us for a long period of time. But when it happens, it will be effective in disrupting our lives and causing chaos like we have never before experienced. It will be chaotic because we are completely dependent on technology. If our technology is disrupted, our lives will be in massive disorder.

This scenario became more real this week with the increased tensions between the United States and Iran. Iran has had sophisticated cyber capabilities for years and has been behind many cyber-attacks around the world. Sanctions have not had an impact on the effectiveness of Iranian-backed hackers, much the same as those imposed on North Korea.

I am not Chicken Little. The Department of Homeland Security warned this week of the heightened risk of Iranian-backed cyber-attacks on critical infrastructure in the United States. The New York Department of Financial Services (DFS) warned banks of the increased risk of an Iranian backed cyber-attack on the financial services industry. Other such attacks also could affect power, electricity, water, financial services, hospitals, chemical plants, schools, manufacturing facilities—you name it. How do we personally prepare for an attack that may affect those systems and services?

Preparing for a cyber-attack on critical infrastructure is much the same as preparing for a natural disaster in the face of Mother Nature. Think about what you would need if you were not able to have access to electricity or water, or not able to pay for things through your credit card or debit card or even get access to your online bank account. What would you need if cell service were not available? I often think of what I would have needed following Hurricane Katrina. But in a cyber-attack, you can’t get in your car and drive to another city or state to avoid the disaster.

Some things to consider in this time of increased threat from Iran and the warning from DHS and DFS would be to have on hand extra water, cash, non-perishable food, candles, a generator, prescription medication, a flashlight and other basic daily necessities that will help get you through a week or two of disruption. Just picture not having access to your online bank account, or the ability to use your credit or debit card or your cell phone. What do you need if the electricity is out? How would you survive “Naked and Afraid?”

Heed the warnings from DHS and DFS – examine your daily routine to determine what you would need and prepare now. That way, whether it is a cyber-attack from Iran, or a threat from Mother Nature, you will be prepared.