NYDFS Cybersecurity Regulations:What do they mean? What is their impact?

June 13, 2017

Caroline Simons

Principal, Boston

Gus Coldebella

Principal, Boston

Agenda

1) Overview of the new regulations

2) Assessing their impact

3) How these regulations fit into the

broader cybersecurity regulatory

landscape

2

3

Overview of the New Regulations

Introduction

• New York Division of Financial Services

(NYDFS) promulgated substantive,

first-in-nation cybersecurity regulations

• Effective Date was March 1, 2017

• Require assessment, evaluation,

establishment, and implementation of

a cybersecurity program to address cyber risks

• Protect customer and employee information

• Protect business information and IT systems

• Guard against disruption in business operations

• Augment and supplement the federal Gramm-Leach-Bliley Act

(GLBA)4

Who’s Covered?

Covered Entities:

• All individuals or non-governmental entities;

• Operating under authorization of New York’s Banking Law,

Insurance Law, or Financial Services Law

But covered entities are exempt from certain provisions if they are:

• Small (< 10 Eees, < $5m revenue, or < $10m assets);

• Designees covered by other covered entities;

• No access to Nonpublic Information; or

• Captive insurance companies

Not covered: Reinsurers, Risk Retention Groups, charitable

annuity societies (e.g., colleges and universities)

23 NYCRR 500.19 5

Key Changes from Earlier Drafts

6

Final

Feb. 16, 2017

Revised

Dec. 28, 2016

Proposed

Sept. 13, 2016

• Greater emphasis on role of Risk Assessment

• Incorporation of “materiality” standard

• Reducing frequency of certain requirements

• More comprehensive documentation requirements & audit

provisions

More customization + More flexibility (?) +

More accountability

7

Diving In

Overview

8

Personnel Reporting

Risk Assessment & Cybersecurity Policy

Documentation Third Parties

Key Definitions

• Affiliate – defined by common control

• Cybersecurity Event – any act or attempt (successful or

unsuccessful) to gain unauthorized access to, disrupt or misuse an

IS or information stored on IS

• Nonpublic Information – all electronic information that is not Publicly

Available Information and is:

• Business-related information, the compromise of which would

cause material adverse impact to business, operations, or

security

• Personally-Identifiable Information

• Protected Health Information

• Publicly Available Information – information that one has a

reasonable basis to believe is lawfully made available to general

public

23 NYCRR 500.019

10

Personnel Reporting

Risk Assessment & Cybersecurity Policy

Documentation Third Parties

Conduct Risk Assessment (Start Here!)

• Conduct a periodic Risk Assessment sufficient to inform the

design of the cybersecurity program.

• Must be conducted according to written policies and procedures

• Must be documented

• Must be updated as reasonably necessary to address changes

• Policies and procedures must cover:

• How to evaluate and categorize identified risks or threats;

• How to assess confidentiality, integrity, security, and availability

of information systems and nonpublic information;

• How to decide whether to mitigate or accept risks;

• How cybersecurity program will address the risk.

23 NYCRR 500.09(b)

11

Maintain Cybersecurity Program

• Maintain Cybersecurity Program designed to protect

confidentiality, integrity & availability of Information Systems (IS)

• Should be based off of Risk Assessment

• Program must be documented, and designed to:

• Identify cyber risks that threaten nonpublic information stored on IS;

• Use defensive infrastructure and implement policies to protect IS

and nonpublic information stored on IS;

• Detect cybersecurity events;

• Respond to, and mitigate the effects of, cybersecurity events;

• Recover from cybersecurity events & restore normal operations;

• Fulfill regulatory reporting requirements.

23 NYCRR 500.02

12

Monitoring and Testing

Cybersecurity program must include monitoring and testing

(again, measured against the Risk Assessment), comprising:

• Continuous monitoring, OR

• Annual penetration testing AND bi-annual vulnerability

assessments23 NYCRR 500.05

13

Other Cybersecurity Measures

Access Privileges – Limit user access privileges to IS that provide access

to Nonpublic Information23 NYCRR 500.07

Assessments of Application Securities: Review, assess, and update

procedures and guidelines concerning the security of IS applications.23 NYCRR 500.05

Multi-Factor Authentication – Use MFA or Risk-Based Authentication to

protect against unauthorized access. 23 NYCRR 500.12

Limitations on Data Retention – Periodic, secure disposal of Nonpublic

Information that is no longer necessary for business operations/purpose23 NYCRR 500.13

Encryption of Nonpublic Information – Encrypt, if feasible, Nonpublic

Information held or transmitted, both in transit over external networks and

at rest. 23 NYCRR 500.15

14

Create an Incident Response Plan

1523 NYCRR 500.16

Must create a written incident response plan designed to promptly

respond to, and recover from, any cybersecurity event materially

affecting the confidentiality, integrity, or availability of:

• covered entity’s IS, or

• continuing functionality of any aspect of business or operations.

Plan must address:

(1) internal processes for responding to cybersecurity event;

(2) goals of the incident response plan;

(3) definition of clear roles, responsibilities & levels of decision-making authority;

(4) external and internal communications and information sharing;

(5) identification of requirements for the remediation of identified weaknesses in

IS and associated controls;

(6) documentation and reporting regarding cybersecurity events; and

(7) evaluation and revision of plan following a cybersecurity event.

Implement and Maintain Cybersecurity Policy

• Implement and maintain a written cybersecurity policy

• Approved by Senior Officer or Board of Directors

• Sets forth the cybersecurity program for the protection of IS and

the Nonpublic Information stored on IS

• Again, based on the Risk Assessment

16

23 NYCRR 500.03

Implement and Maintain Cybersecurity Policy

17

Data

• Information security

• Data governance & classification

• Customer data privacy

Systems and Network• Access controls and

identity management

• Ops & availability

• Security

• Monitoring

• App development & quality assurance

• Physical security and env. controls

Business Operations

• Vendor and 3rd party management

• Risk assessment

• Incident Response

18

Personnel Reporting

Risk Assessment & Cybersecurity Policy

Documentation Third Parties

Designate a Chief Information Security Officer

• Designate a CISO to oversee and implement the cybersecurity

program and enforce the cybersecurity policy

• May be employed by Covered Entity, affiliate, or 3rd party provider

• CISO to report in writing at least annually to Board of Directors

• Report shall cover:

1) Confidentiality of Nonpublic Information and integrity and security of IS

2) Cybersecurity policy and procedures

3) Material cybersecurity risks

4) Overall effectiveness of cybersecurity program

5) Material cybersecurity events involving the Covered Entity during the

reporting time period

19

23 NYCRR 500.04

Other Regulations re: Personnel

• Monitoring – implement risk-based policies, procedures

and controls designed to monitor the activity of Authorized

Users and detect unauthorized access or use of, or

tampering with, Nonpublic Information by such Authorized

users23 NYCRR 500.14(a)

20

Other Regulations re: Personnel

• Utilization – Utilize qualified cybersecurity personnel to

manage cybersecurity functions and manage risk

• Training

• Provide cybersecurity personnel with updates and training

sufficient to address risk

• Provide all personnel with updated cybersecurity awareness

training

• Verification – Verify that cybersecurity personnel take

steps to maintain current knowledge of cybersecurity

threats and countermeasures

Cybersecurity personnel may be employees or

employees of affiliates or 3rd party providers23 NYCRR 500.10, 500.14

21

22

Personnel Reporting

Risk Assessment & Cybersecurity Policy

Documentation Third Parties

Reporting: 72-Hour Notice Rule

Covered entity must inform DFS of cybersecurity event within 72 hours

from a determination that a Cybersecurity Event occurred, if the event is:

• a cybersecurity event for which notice is required to any other

government or self-regulatory agency; or

• a cybersecurity event that has a “reasonable likelihood of materially

harming any material part of the normal operation(s)” of the covered

entity.

23

23 NYCRR 500.17(a)

Reporting: Annual Written Statement

Covered entity must submit to the superintendent annual written statement

covering the prior calendar year, certifying compliance.

• All records to be maintained for 5 years for potential examination by DFS

24

23 NYCRR 500.17(b)

25

Personnel Reporting

Risk Assessment & Cybersecurity Policy

Documentation Third Parties

Audit Trail

Covered entities must maintain systems:

• Designed to reconstruct material financial transactions

sufficient to support normal operations and obligations

• That include audit trails designed to detect and respond to

cybersecurity events

26

23 NYCRR 500.06

Required Documentation

27

• Risk Assessment

• Documentation relevant to Cybersecurity Program

• Cybersecurity Policy

• In-house Application Development procedures and standards

• CISO written report

• Third Party Policy

Generally

• Audit trails

3 years

• Records supporting annual certificate of compliance

• Material remedial or improvement measures for systems as required

• Reconstruction of material financial transactions

5 years

Overview

28

Personnel Reporting

Risk Assessment & Cybersecurity Policy

Documentation Third Parties

Regulation of Third Parties

Covered entities are required to develop and implement written policies

and procedures to ensure security of IS or Nonpublic Information that can

be accessed by their vendors and other third parties.

Two requirements of covered entities:

• Must assess risks arising from third party access; and

• Enforce data security guidelines and protocols on all vendors and

business partners handling IS and nonpublic information through due

diligence and/or contractual agreements

29

23 NYCRR 500.11

30

The Immediate Impact

Key Dates

31

Date Requirements

Aug. 28, 2017

• Cybersecurity Program

• Cybersecurity Policy

• Designation of CISO

• Access Privileges

• Cybersecurity Personnel & Intel

• Incident Response Plan

Sept. 27, 2017 Notice of Exemption deadline

Feb. 15, 2018 First Annual Certification of Compliance

Mar. 1, 2018

• Risk Assessment

• Training Program

• CISO Report to Board

• Multi-Factor Authentication

• Pen Testing & Vulnerability

Assessments

Sept. 1, 2018

• Audit Trail

• Monitoring Program

• Application Security

• Limitations on Data Retention

• Encryption of Nonpublic

Information

Mar. 1, 2019 Third Party Service Provider Security Policy

32

Where Is This All Going?

Where Is This All Going?

33

• Regulation via Enforcement vs. Prescriptive Regulations vs.

Standards and Frameworks

• Voluntary vs. Mandatory

• The Patchwork Problem

• NY is likely one of many

• Financial services sector is also one of many

• The Trickle-Down Effect – the rise of market and private law

• Liability Shield?

• Litigation and Enforcement

34

Questions?

Thank you!

35

Please send your NY CLE forms or questions about the webinar to marketing at lundberg@fr.com.

A replay of the webinar will be available for viewing at http://fishlitigationblog.com.

Gus Coldebella

Principal

Boston, D.C.

617-521-7033

coldebella@fr.com

@g_co

Caroline Simons

Principal

Boston, New York

617-956-5907

simons@fr.com

@carosim

36

© Copyright 2017 Fish & Richardson P.C. These materials may be considered advertising for legal services under the laws and rules of

professional conduct of the jurisdictions in which we practice. The material contained in this presentation has been gathered by the lawyers at

Fish & Richardson P.C. for informational purposes only, is not intended to be legal advice and does not establish an attorney-client relationship.

Legal advice of any nature should be sought from legal counsel. Unsolicited e-mails and information sent to Fish & Richardson P.C. will not be

considered confidential and do not create an attorney-client relationship with Fish & Richardson P.C. or any of our attorneys. Furthermore,

these communications and materials may be disclosed to others and may not receive a response. If you are not already a client of Fish &

Richardson P.C., do not include any confidential information in this message. For more information about Fish & Richardson P.C. and our

practices, please visit www.fr.com.

#1 Patent Litigation Firm (Corporate Counsel, 2004–2016)