Session Overview

1

•  Key Requirements •  Who is Covered? •  What is Covered (data and systems)?

•  Risk Assessment •  Incident Response

•  Incident Reporting •  Vendor Management

•  Considerations for Vendors/Third-Party Service Providers

Key Requirements

2

•  Maintain a cybersecurity program designed to protect the C.I.A. of Information Systems

•  Appoint a CISO and maintain qualified cybersecurity personnel •  Based on the Risk Assessment:

-  Design a cybersecurity program to perform the core functions (identify, protect, detect, respond and recover)

-  Maintain a cybersecurity policy addressing enumerated topics -  Employ monitoring/penetration testing -  Maintain audit trails -  Limit access privileges -  Maintain a Third Party Service Provider policy addressing enumerated

topics -  Employ multifactor authentication (or similar access controls) -  Provide cybersecurity training and awareness programs -  Employ encryption for data in transit and at rest -  Maintain data retention and deletion schedules -  Maintain an incident response plan

Who’s Covered?

3

•  The NYDFS cybersecurity rule applies to any covered entity •  A covered entity is any person operating under or required to operate

under a license, registration, charter, certificate, permit, accreditation, or similar authorization under the Banking Law, Insurance Law or Financial Services Law.

Who’s Covered?

4

•  The following types of entities are covered: -  New York state chartered banks -  New York licensed branch and agency offices of foreign banks -  New York licensed insurance companies (including insurance companies

domiciled in other states that are licensed to write insurance in New York) -  New York licensed insurance agents -  New York licensed lenders -  New York licensed check cashers -  New York licensed money transmitters -  New York registered mortgage loan servicers -  Out-of-state trust companies with a trust office in New York (probably)

Who’s Covered?

5

•  The following types of entities are not covered: -  National banks -  Federal savings associations -  Federally licensed branch and agency offices of foreign banks -  SEC-registered broker dealers -  Investment advisers

Who’s Covered?

6

•  The following types of entities are not covered: -  National banks -  Federal savings associations -  Federally licensed branch and agency offices of foreign banks -  SEC-registered broker dealers -  Investment advisers

•  BUT…. Subsidiaries and affiliates of non-covered entities may be covered if they otherwise fall within the definition of covered person.

•  If a covered entity adopts an affiliate’s cybersecurity program, the program must meet the requirements of the rule and must be available to NYDFS for examination

Who’s Covered?

7

•  Application of the rule to out of state banks that operate a branch in New York is not entirely clear

-  If the branch was established de novo, New York law requires NYDFS approval to establish the branch. However, that requirement may be preempted by the federal Riegle-Neal Act.

-  Out-of-state banks are permitted to acquire a branch in New York pursuant to a Riegle-Neal interstate merger without NYDFS approval.

-  12 U.S.C. 1831a(j)(1) provides that “[t]he laws of a host State, including laws regarding community reinvestment, consumer protection, fair lending, and establishment of intrastate branches, shall apply to any branch in the host State of an out-of-State State bank to the same extent as such State laws apply to a branch in the host State of an out-of-State national bank. To the extent host State law is inapplicable to a branch of an out-of-State State bank in such host State pursuant to the preceding sentence, home State law shall apply to such branch.” So, the rule is arguably preempted since such rules would not appear to apply to national banks (or, to the extent they purport to apply, would likely be preempted).

Who’s Covered?

8

•  Common issues with scope of coverage -  If an organization has a common, enterprise-wide IT platform used by a

Covered Entity, the requirements of the rule arguably apply to the aspects of the IT platform used by the Covered Entity, even if the system is used or operated by affiliates ▪  Other aspects of the rule may be limited to matters involving the Covered

Entity (for example, breach notification) -  The rule’s service provider provisions on their face apply to third party,

unaffiliated service providers. However, it’s not entirely clear whether NYDFS would seek to apply the rule to affiliated service providers

What is Covered?

9

•  Information Systems, not just data -  “a discrete set of electronic information resources organized for the collection,

processing, maintenance, use, sharing, dissemination or disposition of electronic information, as well as any specialized system such as industrial/process controls systems, telephone switching and private branch exchange systems, and environmental control systems.” ▪  Systems don’t have to store, transmit, etc. sensitive data to be

covered ▪  Extends the law’s coverage to non-intrusion incidents (e.g. DDoS)

•  Nonpublic Information, not just personal info -  PII, e.g. SSN, DL #, account or credit card number, passwords/access codes

to a financial account, biometrics -  Health information (similar to HIPAA definition) -  Business related information … the tampering with which, or unauthorized

disclosure, access or use of which, would cause a material adverse impact to the business, operations, or security of the Covered Entity. ▪  Applies to business confidential info, even without any PII

Risk Assessment

10

•  The final rule does away with the “one size fits all” approach of the proposal in favor of more tailored application in many areas

•  There are may areas of the rule that apply based on an organization’s “risk assessment” (§ 500.09)

-  Definition of nonpublic business related information includes a materiality qualifier

-  The required cybersecurity program must be based on a risk assessment (§ 500.02)

-  Penetration testing and bi-annual vulnerability assessments must be based upon identified risks in accordance with the risk assessment (§ 500.05)

-  Data back up is based upon the risk assessment and must be sufficient to restore “normal” operations (§500.6)

-  Training is to be based on “relevant” risks (§ 500.10) -  Policies and procedures related to service providers must be based on the

risk assessment (§ 500.11) -  Controls to protect nonpublic information based on the risk assessment (§

500.15)

Risk Assessment

11

•  The Risk Assessment concept (and risk-based approach to cybersecurity generally) has become a common feature of industry guidance:

-  Federal Financial Institutions Examination Counsel (FFIEC) Cyber Assessment tool (“Inherent Risk Profile”) ▪  Federal Reserve, OCC, FDIC

-  SEC Division of Investment Management guidance (for registered investment companies and registered investment advisors)

-  NIST Framework for Improving Critical Infrastructure Cybersecurity

-  Colorado Division of Securities proposed requirements for financial advisors and broker dealers

Incident Response

12

•  The DFS cybersecurity regulation follows GDPR in imposing documentation requirements for incident handling and response.

-  § 500.16: Covered entities must have an incident response plan addressing: ▪  Response procedures ▪  Goals of the response plan ▪  Roles, responsibilities, levels of decision-making authority ▪  External and internal communications ▪  Remediation of systems/controls following an incident ▪  Documentation and reporting ▪  Evaluation and revision of plan as necessary

-  § 500.18: Information provided by Covered Entity is subject to disclosure exemptions under applicable state or federal laws.

Incident Notification

13

•  Cybersecurity Regulation also follows GDPR in imposing 72 hour notification timeline, but with different trigger language.

-  “Cybersecurity Event”: “any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an Information System or information stored on such Information System.”

-  Notification to DFS required within 72 hours from a determination

that a Cybersecurity Event has occurred that either: ▪  (1) has a reasonable likelihood of materially harming any material part of

the entity’s normal operations, or ▪  (2) triggers a notification requirement to any other government body, self-

regulatory agency or any other supervisory body.

Vendor Management

14

•  §500.03(l): Covered entity’s cybersecurity policy must address vendor/service provider management.

•  §500.11(a): Covered entity must maintain a Third-Party Service Provider Policy based on the Risk Assessment addressing:

-  (1) identification and risk assessment of service providers -  (2) minimum cybersecurity practices service providers must meet -  (3) due diligence processes -  (4) periodic assessment of service providers based on risks/practices

Vendor Management

15

•  §500.11(b): Third-Party Service Provider policy must include guidelines for due diligence and/or contractual protections addressing:

-  (1) Service providers’ policies/procedures regarding access controls, including use of multifactor authentication (500.12)

-  (2) Service providers’ policies/procedures regarding use of encryption for data in transit and at rest (500.15)

-  (3) Incident notification to be provided to the Covered Entity -  (4) Representations and warranties regarding service providers’

cybersecurity policies/procedures

Considerations for Vendors/Third-Party Service Providers

16

•  More stringent—and more granular—data handling requirements in vendor contracts.

-  E.g. deployment of encryption in transit and at rest, multi-factor authentication, detailed audit logs and other technical controls for broad categories of sensitive info. ▪  Compliance may be difficult when considering the scope of

Nonpublic Information

•  Cybersecurity reps and warranties

•  Broader definitions of a reportable data incident and shorter notification timelines.

•  More Frequent Audits, Diligence Reviews, etc.

Considerations for Vendors/Third-Party Service Providers

17

•  It is the Covered Entity’s responsibility—not the service provider’s—to comply with the regulations.

-  Covered Entity must maintain a cybersecurity program designed to protect the C.I.A. of information systems and perform the core cybersecurity functions (§500.02 (a)-(b)).

•  Service providers’ implementation of policies, controls, etc. depends on

the Covered Entity’s Risk Assessment. -  Service Providers need specific guidance on implementation of controls—e.g.

requirements to implement encryption or multifactor authentication in compliance with §§ 500.12, 500.15 will be insufficient.

•  Covered Entity clients may move towards ~ 24 hour notification for all data incidents.

-  Regulation effectively moves up notification to all regulators. -  While trigger is based on a “determination” that an event has occurred, late

determination could violate § 500.02(b)(3)(program must “detect Cybersecurity events”)

Get in Touch

William E. Stern Partner, Financial Industry, Banking, Consumer Financial Services + FinTech Practices wstern@goodwinlaw.com +1 212 813 8890

Michael T. Borgia Legal Counsel, Data Integrity and Cybersecurity, Accenture LLP Michael.T.Borgia@accenture.com +1 617 488 5100

Boston | Frankfurt | Hong Kong | London | Los Angeles

New York | San Francisco | Silicon Valley | Washington DC

Our 900 plus lawyers across the United States, Europe, and Asia excel at complex transactions, high-stakes litigations and world-class advisory services in the financial, life sciences, private equity, real estate, and technology industries. We partner with our clients to practice law with integrity, ingenuity, agility and ambition. To learn more, visit us at www.goodwinlaw.com and follow us on Twitter at @goodwinlaw and on LinkedIn.

About Us

At Goodwin, we use law to achieve unprecedented results for our clients.

Boston | Frankfurt | Hong Kong | London | Los Angeles | Paris New York | San Francisco | Silicon Valley | Washington DC

Our 900 plus lawyers across the United States, Europe, and Asia excel at complex transactions, high-stakes litigations and world-class advisory services in the financial, life sciences, private equity, real estate, and technology industries. We partner with our clients to practice law with integrity, ingenuity, agility and ambition. To learn more, visit us at www.goodwinlaw.com and follow us on Twitter at @goodwinlaw and on LinkedIn.

At Goodwin, we use law to achieve unprecedented results for our clients.

19 ACTIVE/89447065.1