NYDFS Cybersecurity Regulations - Fish & Richardson · 2017-12-13 · Introduction • New York...
Transcript of NYDFS Cybersecurity Regulations - Fish & Richardson · 2017-12-13 · Introduction • New York...
NYDFS Cybersecurity Regulations:What do they mean? What is their impact?
June 13, 2017
Caroline Simons
Principal, Boston
Gus Coldebella
Principal, Boston
Agenda
1) Overview of the new regulations
2) Assessing their impact
3) How these regulations fit into the
broader cybersecurity regulatory
landscape
2
3
Overview of the New Regulations
Introduction
• New York Division of Financial Services
(NYDFS) promulgated substantive,
first-in-nation cybersecurity regulations
• Effective Date was March 1, 2017
• Require assessment, evaluation,
establishment, and implementation of
a cybersecurity program to address cyber risks
• Protect customer and employee information
• Protect business information and IT systems
• Guard against disruption in business operations
• Augment and supplement the federal Gramm-Leach-Bliley Act
(GLBA)4
Who’s Covered?
Covered Entities:
• All individuals or non-governmental entities;
• Operating under authorization of New York’s Banking Law,
Insurance Law, or Financial Services Law
But covered entities are exempt from certain provisions if they are:
• Small (< 10 Eees, < $5m revenue, or < $10m assets);
• Designees covered by other covered entities;
• No access to Nonpublic Information; or
• Captive insurance companies
Not covered: Reinsurers, Risk Retention Groups, charitable
annuity societies (e.g., colleges and universities)
23 NYCRR 500.19 5
Key Changes from Earlier Drafts
6
Final
Feb. 16, 2017
Revised
Dec. 28, 2016
Proposed
Sept. 13, 2016
• Greater emphasis on role of Risk Assessment
• Incorporation of “materiality” standard
• Reducing frequency of certain requirements
• More comprehensive documentation requirements & audit
provisions
More customization + More flexibility (?) +
More accountability
7
Diving In
Overview
8
Personnel Reporting
Risk Assessment & Cybersecurity Policy
Documentation Third Parties
Key Definitions
• Affiliate – defined by common control
• Cybersecurity Event – any act or attempt (successful or
unsuccessful) to gain unauthorized access to, disrupt or misuse an
IS or information stored on IS
• Nonpublic Information – all electronic information that is not Publicly
Available Information and is:
• Business-related information, the compromise of which would
cause material adverse impact to business, operations, or
security
• Personally-Identifiable Information
• Protected Health Information
• Publicly Available Information – information that one has a
reasonable basis to believe is lawfully made available to general
public
23 NYCRR 500.019
10
Personnel Reporting
Risk Assessment & Cybersecurity Policy
Documentation Third Parties
Conduct Risk Assessment (Start Here!)
• Conduct a periodic Risk Assessment sufficient to inform the
design of the cybersecurity program.
• Must be conducted according to written policies and procedures
• Must be documented
• Must be updated as reasonably necessary to address changes
• Policies and procedures must cover:
• How to evaluate and categorize identified risks or threats;
• How to assess confidentiality, integrity, security, and availability
of information systems and nonpublic information;
• How to decide whether to mitigate or accept risks;
• How cybersecurity program will address the risk.
23 NYCRR 500.09(b)
11
Maintain Cybersecurity Program
• Maintain Cybersecurity Program designed to protect
confidentiality, integrity & availability of Information Systems (IS)
• Should be based off of Risk Assessment
• Program must be documented, and designed to:
• Identify cyber risks that threaten nonpublic information stored on IS;
• Use defensive infrastructure and implement policies to protect IS
and nonpublic information stored on IS;
• Detect cybersecurity events;
• Respond to, and mitigate the effects of, cybersecurity events;
• Recover from cybersecurity events & restore normal operations;
• Fulfill regulatory reporting requirements.
23 NYCRR 500.02
12
Monitoring and Testing
Cybersecurity program must include monitoring and testing
(again, measured against the Risk Assessment), comprising:
• Continuous monitoring, OR
• Annual penetration testing AND bi-annual vulnerability
assessments23 NYCRR 500.05
13
Other Cybersecurity Measures
Access Privileges – Limit user access privileges to IS that provide access
to Nonpublic Information23 NYCRR 500.07
Assessments of Application Securities: Review, assess, and update
procedures and guidelines concerning the security of IS applications.23 NYCRR 500.05
Multi-Factor Authentication – Use MFA or Risk-Based Authentication to
protect against unauthorized access. 23 NYCRR 500.12
Limitations on Data Retention – Periodic, secure disposal of Nonpublic
Information that is no longer necessary for business operations/purpose23 NYCRR 500.13
Encryption of Nonpublic Information – Encrypt, if feasible, Nonpublic
Information held or transmitted, both in transit over external networks and
at rest. 23 NYCRR 500.15
14
Create an Incident Response Plan
1523 NYCRR 500.16
Must create a written incident response plan designed to promptly
respond to, and recover from, any cybersecurity event materially
affecting the confidentiality, integrity, or availability of:
• covered entity’s IS, or
• continuing functionality of any aspect of business or operations.
Plan must address:
(1) internal processes for responding to cybersecurity event;
(2) goals of the incident response plan;
(3) definition of clear roles, responsibilities & levels of decision-making authority;
(4) external and internal communications and information sharing;
(5) identification of requirements for the remediation of identified weaknesses in
IS and associated controls;
(6) documentation and reporting regarding cybersecurity events; and
(7) evaluation and revision of plan following a cybersecurity event.
Implement and Maintain Cybersecurity Policy
• Implement and maintain a written cybersecurity policy
• Approved by Senior Officer or Board of Directors
• Sets forth the cybersecurity program for the protection of IS and
the Nonpublic Information stored on IS
• Again, based on the Risk Assessment
16
23 NYCRR 500.03
Implement and Maintain Cybersecurity Policy
17
Data
• Information security
• Data governance & classification
• Customer data privacy
Systems and Network• Access controls and
identity management
• Ops & availability
• Security
• Monitoring
• App development & quality assurance
• Physical security and env. controls
Business Operations
• Vendor and 3rd party management
• Risk assessment
• Incident Response
18
Personnel Reporting
Risk Assessment & Cybersecurity Policy
Documentation Third Parties
Designate a Chief Information Security Officer
• Designate a CISO to oversee and implement the cybersecurity
program and enforce the cybersecurity policy
• May be employed by Covered Entity, affiliate, or 3rd party provider
• CISO to report in writing at least annually to Board of Directors
• Report shall cover:
1) Confidentiality of Nonpublic Information and integrity and security of IS
2) Cybersecurity policy and procedures
3) Material cybersecurity risks
4) Overall effectiveness of cybersecurity program
5) Material cybersecurity events involving the Covered Entity during the
reporting time period
19
23 NYCRR 500.04
Other Regulations re: Personnel
• Monitoring – implement risk-based policies, procedures
and controls designed to monitor the activity of Authorized
Users and detect unauthorized access or use of, or
tampering with, Nonpublic Information by such Authorized
users23 NYCRR 500.14(a)
20
Other Regulations re: Personnel
• Utilization – Utilize qualified cybersecurity personnel to
manage cybersecurity functions and manage risk
• Training
• Provide cybersecurity personnel with updates and training
sufficient to address risk
• Provide all personnel with updated cybersecurity awareness
training
• Verification – Verify that cybersecurity personnel take
steps to maintain current knowledge of cybersecurity
threats and countermeasures
Cybersecurity personnel may be employees or
employees of affiliates or 3rd party providers23 NYCRR 500.10, 500.14
21
22
Personnel Reporting
Risk Assessment & Cybersecurity Policy
Documentation Third Parties
Reporting: 72-Hour Notice Rule
Covered entity must inform DFS of cybersecurity event within 72 hours
from a determination that a Cybersecurity Event occurred, if the event is:
• a cybersecurity event for which notice is required to any other
government or self-regulatory agency; or
• a cybersecurity event that has a “reasonable likelihood of materially
harming any material part of the normal operation(s)” of the covered
entity.
23
23 NYCRR 500.17(a)
Reporting: Annual Written Statement
Covered entity must submit to the superintendent annual written statement
covering the prior calendar year, certifying compliance.
• All records to be maintained for 5 years for potential examination by DFS
24
23 NYCRR 500.17(b)
25
Personnel Reporting
Risk Assessment & Cybersecurity Policy
Documentation Third Parties
Audit Trail
Covered entities must maintain systems:
• Designed to reconstruct material financial transactions
sufficient to support normal operations and obligations
• That include audit trails designed to detect and respond to
cybersecurity events
26
23 NYCRR 500.06
Required Documentation
27
• Risk Assessment
• Documentation relevant to Cybersecurity Program
• Cybersecurity Policy
• In-house Application Development procedures and standards
• CISO written report
• Third Party Policy
Generally
• Audit trails
3 years
• Records supporting annual certificate of compliance
• Material remedial or improvement measures for systems as required
• Reconstruction of material financial transactions
5 years
Overview
28
Personnel Reporting
Risk Assessment & Cybersecurity Policy
Documentation Third Parties
Regulation of Third Parties
Covered entities are required to develop and implement written policies
and procedures to ensure security of IS or Nonpublic Information that can
be accessed by their vendors and other third parties.
Two requirements of covered entities:
• Must assess risks arising from third party access; and
• Enforce data security guidelines and protocols on all vendors and
business partners handling IS and nonpublic information through due
diligence and/or contractual agreements
29
23 NYCRR 500.11
30
The Immediate Impact
Key Dates
31
Date Requirements
Aug. 28, 2017
• Cybersecurity Program
• Cybersecurity Policy
• Designation of CISO
• Access Privileges
• Cybersecurity Personnel & Intel
• Incident Response Plan
Sept. 27, 2017 Notice of Exemption deadline
Feb. 15, 2018 First Annual Certification of Compliance
Mar. 1, 2018
• Risk Assessment
• Training Program
• CISO Report to Board
• Multi-Factor Authentication
• Pen Testing & Vulnerability
Assessments
Sept. 1, 2018
• Audit Trail
• Monitoring Program
• Application Security
• Limitations on Data Retention
• Encryption of Nonpublic
Information
Mar. 1, 2019 Third Party Service Provider Security Policy
32
Where Is This All Going?
Where Is This All Going?
33
• Regulation via Enforcement vs. Prescriptive Regulations vs.
Standards and Frameworks
• Voluntary vs. Mandatory
• The Patchwork Problem
• NY is likely one of many
• Financial services sector is also one of many
• The Trickle-Down Effect – the rise of market and private law
• Liability Shield?
• Litigation and Enforcement
34
Questions?
Thank you!
35
Please send your NY CLE forms or questions about the webinar to marketing at [email protected].
A replay of the webinar will be available for viewing at http://fishlitigationblog.com.
Gus Coldebella
Principal
Boston, D.C.
617-521-7033
@g_co
Caroline Simons
Principal
Boston, New York
617-956-5907
@carosim
36
© Copyright 2017 Fish & Richardson P.C. These materials may be considered advertising for legal services under the laws and rules of
professional conduct of the jurisdictions in which we practice. The material contained in this presentation has been gathered by the lawyers at
Fish & Richardson P.C. for informational purposes only, is not intended to be legal advice and does not establish an attorney-client relationship.
Legal advice of any nature should be sought from legal counsel. Unsolicited e-mails and information sent to Fish & Richardson P.C. will not be
considered confidential and do not create an attorney-client relationship with Fish & Richardson P.C. or any of our attorneys. Furthermore,
these communications and materials may be disclosed to others and may not receive a response. If you are not already a client of Fish &
Richardson P.C., do not include any confidential information in this message. For more information about Fish & Richardson P.C. and our
practices, please visit www.fr.com.
#1 Patent Litigation Firm (Corporate Counsel, 2004–2016)