Cybersecurity Requirements For Financial Services Companies.
Purpose:
To require effective cybersecurity to protect consumers and ensure the safe and sound operation of Department-regulated entities.
Substance of proposed rule (Full text is posted at the following State website:http://www.dfs.ny.gov):
The following is a summary of the proposed rule:
Section 500.0, “Introduction,” introduces the proposed rule.
Section 500.01, “Definitions,” defines terms used throughout the proposed rule.
Section 500.02, “Cybersecurity Program,” requires that each Covered Entity establish and maintain a cybersecurity program designed to ensure the confidentiality, integrity and availability of its Information Systems.
Section 500.03, “Cybersecurity Policy,” requires each Covered Entity to implement and maintain a written cybersecurity policy addressing specified areas and also sets forth the requirements for internal review and approval of that policy.
Section 500.04, “Chief Information Security Officer,” requires that each Covered Entity designate a qualified individual to serve as CISO, and that the CISO develop a report, at least bi-annually, which shall be reviewed internally and which shall address specified cybersecurity issues.
Section 500.05, “Penetration Testing and Vulnerability Assessments,” requires each Covered Entity’s cybersecurity program to include annual penetration testing and a quarterly vulnerability assessment of the Covered Entity’s Information Systems.
Section 500.06, “Audit Trail,” requires that the cybersecurity program for each Covered Entity shall include implementing and maintaining audit trail systems that meet specified requirements.
Section 500.07, “Access Privileges,” requires that each Covered Entity shall limit access privileges to Information Systems that provide access to Nonpublic Information solely to those individuals who require such access and that the Covered Entity shall periodically review such privileges.
Section 500.08, “Application Security,” requires that each Covered Entity’s cybersecurity program include written procedures and standards designed to ensure the use of secure development practices for in-house developed applications, and procedures for assessing and testing the security of externally developed applications, and also requires that such procedures and standards be reviewed, assessed and updated at least annually.
Section 500.09, “Risk Assessment,” requires each Covered Entity to perform, at least annually, a risk assessment encompassing, among other things, evaluation, categorization and mitigation of risks, and to document the risk assessment in writing.
Section 500.10, “Cybersecurity Personnel and Intelligence,” requires each Covered Entity to employ sufficient cybersecurity personnel, provide for and require such personnel to attend regular cybersecurity training, and require key cybersecurity personnel to stay abreast of changing cybersecurity threats and countermeasures.
Section 500.11, “Third Party Information Security Policy,” requires each Covered Entity to develop policies and procedures designed to ensure the security of its Information Systems and Nonpublic Information accessible to, or held by, third parties doing business with the Covered Entity.
Section 500.12, “Multi-Factor Authentication,” enumerates the circumstances in which a Covered Entity shall require Multi-Factor Authentication and in which a Covered Entity shall support Multi-Factor Authentication.
Section 500.13, “Limitations on Data Retention,” requires each Covered Entity to have policies and procedures for the timely destruction of specified categories of Nonpublic Information.
Section 500.14, “Training and Monitoring,” requires each Covered Entity to implement risk-based policies to monitor the activity of Authorized Users and detect unauthorized access or use of Nonpublic Information, and to provide for and require all personnel to attend regular cybersecurity awareness training sessions.
Section 500.15, “Encryption of Nonpublic Information,” requires each Covered Entity to encrypt all Nonpublic Information held or transmitted by the Covered Entity both in transit and at rest; allows for the use of compensating controls for one year for Nonpublic Information in transit, if encryption of such is infeasible; and allows for the use of compensating controls for five years for Nonpublic Information at rest, if encryption of such is infeasible.
Section 500.16, “Incident Response Plan,” requires each Covered Entity to establish a written incident response plan designed to promptly respond to, and recover from, a Cybersecurity Event.
Section 500.17, “Notices to Superintendent,” requires each Covered Entity to submit to the Superintendent a written statement by January 15, certifying that the Covered Entity is in compliance with the requirements set forth in the proposed rule; to maintain for examination by the Department all records, schedules and data supporting the certificate for a period of five years; to notify the superintendent of any Cybersecurity Event that has a reasonable likelihood of materially affecting the normal operation of the Covered Entity or that affects Nonpublic Information; and to document the identification of areas that require material improvement, updating or redesign, as well as planned remedial efforts; in addition, to the extent that a Covered Entity has identified any material risk of imminent harm to its Information System from a Cybersecurity Event, the Covered Entity should notify the Superintendent within 72 hours and include such event in its annual report filed pursuant to this section.
Section 500.18, “Limited Exemption,” provides that Covered Entities that have less than the specified number of customers, gross annual revenue, and year-end total assets shall be exempt from the requirements of the proposed rule other than the requirements enumerated in Section 500.18; and that a Covered Entity that ceases to qualify for the limited exemption must comply with all requirements of the proposed rule.
Section 500.19, “Enforcement,” provides that the proposed rule will be enforced pursuant to, and is not intended to limit, the Superintendent’s authority under any applicable laws.
Section 500.20, “Effective Date,” provides that the proposed rule will be effective January 1, 2017, and that Covered Entities will be required to annually prepare and submit a certification of compliance pursuant to Section 500.17 commencing January 15, 2018.
Section 500.21, “Transitional Period,” provides that Covered Entities shall have 180 days from the effective date of the proposed rule to comply with its requirements, except as otherwise specified.
Section 500.22, “Severability,” states that in the event a specific provision of the proposed rule is adjudged invalid, such judgment will not impair the validity of the remainder of the proposed rule.
Text of proposed rule and any required statements and analyses may be obtained from:
Cassandra Lentchner, New York State Department of Financial Services, One State Street, New York, NY 10004, (212) 709-1675, email: CyberRegComments@dfs.ny.gov
Data, views or arguments may be submitted to:
Same as above.
Public comment will be received until:
45 days after publication of this notice.
This rule was not under consideration at the time this agency submitted its Regulatory Agenda for publication in the Register.
Regulatory Impact Statement
1. Statutory Authority: In Section 102 of the New York Financial Services Law (the “Financial Services Law” or “FSL”), the legislature declares that the purpose of the FSL is “to ensure the continued safety and soundness of New York’s banking, insurance and financial services industries, as well as the prudent conduct of the providers of financial products and services, through responsible regulation and supervision.” Pursuant to FSL Section 201, the Department of Financial Services (the “Department”) has broad authority to take such actions as are necessary to ensure the continued solvency, safety, soundness and prudent conduct of the providers of financial products and services; to protect users of financial products and services from financially impaired or insolvent providers of such services; and to eliminate financial fraud, other criminal abuse and unethical conduct in the industry. Further, FSL Section 301 gives the Department broad power “to protect users of financial products and services.” In addition, FSL Section 302 provides the Department with equally broad authority to adopt regulations relating to “financial products and services,” which are broadly defined in the Financial Services Law to mean essentially any product or service offered by a Department-regulated entity. Accordingly, the Department has ample authority to adopt the proposed rule.
Other statutory authority includes: FSL Sections 202 and 408.
2. Legislative Objectives: The Financial Services Law is intended to ensure the safe and sound operation of the financial system. Cybercriminals present an ever-growing threat to that system. They can cause significant financial losses for Department-regulated entities and for New York consumers who use the products and services of those entities. In addition, the private information of such consumers may be revealed and/or stolen by cybercriminals for illicit purposes. The proposed rule is intended to ensure that all financial services providers regulated by the Department have and maintain cybersecurity programs that meet certain minimum cybersecurity standards in order to protect consumers and continue operating in a safe and sound manner.
3. Needs and Benefits: The proposed rule is necessary to ensure that Department-regulated entities are effectively addressing ever-growing cybersecurity risks in order to protect consumers and continue operating in a safe and sound manner.
4. Costs: All Department-regulated entities will be responsible for ensuring that they are in compliance with the proposed rule, which will impose some costs on their operations. The proposed rule provides for a limited exemption for certain smaller entities, based on each entity’s number of customers, gross annual revenue, and year-end total assets. Entities that qualify for this limited exemption will be required to comply with only a limited number of sections in the proposed rule; thus, the costs of compliance for such entities is likely to be lower.
It is also anticipated that the costs of compliance will be offset to varying degrees when, as a result of complying with the proposed rule, entities avoid or mitigate cyber attacks that might otherwise have caused financial and other losses.
There should be no costs to any local governments as a result of the proposed rule.
5. Local Government Mandates: The proposed amendments do not impose any new programs, services, duties or responsibilities on local government.
6. Paperwork: The proposed rule requires entities to maintain a written cybersecurity policy and other written cybersecurity procedures and plans; to develop cybersecurity reports for presentation to the entity’s board or a senior officer; to submit to the superintendent an annual certification of compliance with the proposed rule; and to keep books and records documenting compliance.
Entities that qualify for the limited exemption have fewer written policy and record-keeping requirements.
7. Duplication: Part 421 of Title 11 of the New York Codes, Rules and Regulations, promulgated in conformance with the federal Gramm-Leach-Bliley Act, requires insurance entities to implement a comprehensive written information security program. To a very limited extent, the proposed rule overlaps with Part 421, but the proposed rule includes requirements that are far more specific than Part 421 in order to achieve more robust cybersecurity coverage and to ensure that the Department’s regulated entities have and maintain cybersecurity programs that meet certain minimum cybersecurity standards in order to protect consumers and continue operating in a safe and sound manner. Notably, Section 6807(b) of the Gramm-Leach-Bliley Act allows states to implement a statute, regulation, order, or interpretation affording protections that are greater than those listed in the Gramm-Leach-Bliley Act.
8. Alternatives: None.
9. Federal Standards: As noted earlier, see “Duplication,” above, the proposed rule will, in some respects, exceed minimum standards established by the federal Gramm-Leach-Bliley Act. The Department believes that the proposed rule is not inconsistent with the federal Gramm-Leach-Bliley Act. Indeed, the proposed rule includes requirements that are more specific than those in the federal Gramm-Leach-Bliley Act in order to achieve more robust cybersecurity coverage and to ensure that the Department’s regulated entities protect consumers and continue operating in a safe and sound manner. Section 6807(b) of the Gramm-Leach-Bliley Act allows states to implement a statute, regulation, order, or interpretation affording protections that are greater than those listed in the Gramm-Leach-Bliley Act.
10. Compliance Schedule: Regulated entities will have 180 days from the effective date of the proposed rule to comply with its requirements, except as otherwise specified. The proposed rule will be effective January 1, 2017. Covered Entities will be required to annually prepare and submit to the Superintendent a certification of compliance under Section 500.17 commencing January 15, 2018.
Regulatory Flexibility Analysis
1. Effect of the Rule: The proposed rule applies to all Department-regulated entities, but certain small businesses may qualify for a limited exemption provided for in Section 500.18 of the proposed rule. Those entities that qualify for the limited exemption – those that fall below the minimum specified number of customers, gross annual revenue, and year-end total assets – shall be exempt from the requirements of the proposed rule other than the requirements enumerated in Section 500.18.
The proposed rule does not apply to local governments and will not impose any adverse economic impact or any reporting, recordkeeping or other compliance requirements on local governments.
2. Compliance Requirements: Small businesses that do not qualify for the limited exemption found in Section 500.18 will be subject to all of the requirements of the proposed rule. If a small business does qualify for the limited exemption, such small business will be subject only to Sections 500.02, 500.03, 500.07, 500.09, 500.11, 500.13, 500.17, 500.18, 500.19, 500.20, and 500.21 of the proposed rule.
3. Professional Services: A small business will not necessarily need any professional services to comply with the proposed rule. However, under the proposed rule, a Department-regulated entity that is a small business (or any other Department-regulated entity) that does not qualify for the limited exemption under Section 500.18 may use a third party service provider as its Chief Information Security Officer.
The proposed rule does not apply to local governments.
4. Compliance Costs: Like all businesses subject to the proposed rule, small businesses will be responsible for ensuring that they are in compliance with the proposed rule, which will impose some costs on their operations. The Department believes that the need for compliance outweighs such costs.
5. Economic and Technological Feasibility: The Department believes it will be economically and technologically feasible for small businesses to comply with the requirements of the proposed rule.
6. Minimizing Adverse Impact: To minimize any adverse economic impact of the proposed rule on small businesses, the Department has included the limited exemption for smaller entities (Section 500.18 of the proposed rule). If a small businesses qualifies for the limited exemption, it will be subject to fewer compliance requirements.
7. Small Business and Local Government Participation: The proposed rule will be published publicly, including on the Department’s website, for notice and comment, which will provide small businesses with the opportunity to participate in the rule making process.
The proposed rule does not impact local governments.
Rural Area Flexibility Analysis
1. Types and Estimated Numbers of Rural Areas: Entities subject to the requirements of the proposed rule operate throughout this state, including in rural areas.
2. Reporting, Recordkeeping and Other Compliance Requirements; Professional Services: Entities subject to the proposed rule will be required to keep and maintain accurate books and records, be subject to examinations, and provide an annual certification to the superintendent certifying compliance with the requirements set forth in the proposed rule.
3. Costs: Entities subject to the proposed rule will be responsible for ensuring that they are in compliance with the proposed rule, which will impose some costs on their operations. The costs are not expected to be any higher for entities in rural areas than for any other entity subject to the proposed rule.
4. Minimizing Adverse Impact: The proposed rule is not expected to have an adverse impact on public or private sector interests in rural areas. The proposed rule is specifically tailored to the pressing need of addressing cybersecurity risks for Department-regulated entities; it is likely to have a positive impact on interests in rural areas as the proposed rule protects consumer data and protects financial services firms that provide services to consumers.
5. Rural Area Participation: The proposed rule will be published publicly, including on the Department’s website, for notice and comment, which will provide public and private interests in rural areas with the opportunity to participate in the rule making process.
Job Impact Statement
A Job Impact Statement is not being submitted because it is apparent from the nature and purposes of new Part 500 to 23 NYCRR that this proposed rulemaking will not have a substantial adverse impact on jobs and/or employment opportunities.
