Last month, the New York State Department of Financial Services (NYDFS) put forward a proposed regulation designed to impose new rigorous cybersecurity requirements on banks, consumer lenders, money transmitters, insurance companies as well as some financial service providers in New York State.
The State has indicated that securing both New York’s financial services firms and its consumers is the main priority. The aim is to lower the risk posture in light of the threats posed by “nation-states, terrorist organizations, and independent criminal actors.”
So far, so good. But affected firms need to get their skates on pronto. The effective date is January 1, just two months from now.
The impact is of course much broader than just New York State. Even “Non-U.S. insurers and reinsurers in particular will want to confirm if the proposed regulation applies – whether with respect to excess lines insurers, “trusteed” or “certified” reinsurers,” writes US law-firm Drinker Biddle.
Make no mistake – the requirements outlined below are of Clydesdale proportions. Experts at TBG security strongly recommend a comprehensive internal review to ensure everything is in place before the new year gallops into the present.
So what’s involved? Here is the high-level list:
Cybersecurity Program. Each Covered Entity shall establish and maintain a cybersecurity program designed to ensure the confidentiality, integrity and availability of the Covered Entity’s Information Systems.
Cybersecurity Policy. Each Covered Entity shall implement and maintain a written cybersecurity policy setting forth the Covered Entity’s policies and procedures for the protection of its Information Systems and Nonpublic Information (see Note 1 below) stored on those Information Systems.
Chief Information Security Officer. Each Covered Entity shall designate a qualified individual to serve as the Covered Entity’s Chief Information Security Officer (“CISO”) responsible for overseeing and implementing the Covered Entity’s cybersecurity program and enforcing its cybersecurity policy.
Penetration Testing and Vulnerability Assessments. The cybersecurity program for each Covered Entity shall, at a minimum, include penetration testing of the Covered Entity’s Information Systems at least annually and vulnerability assessment of the Covered Entity’s Information Systems at least quarterly.
Audit Trail. The cybersecurity program for each Covered Entity shall, at a minimum, include implementing and maintaining audit trail systems.
Access Privileges. Each Covered Entity shall limit access privileges to Information Systems that provide access to Nonpublic Information solely to those individuals who require such access to such systems in order to perform their responsibilities and shall periodically review such access privileges.
Risk Assessment. At least annually, each Covered Entity shall conduct a risk assessment of the Information Systems. Such risk assessment shall be carried out in accordance with written policies and procedures and shall be documented in writing.
Cybersecurity Personnel and Intelligence. each Covered Entity shall employ (or use a qualified third party) to perform the duties of cybersecurity personnel, including managing the Covered Entity’s cybersecurity risks and performing the core cybersecurity functions.
Third Party Information Security Policy. Each Covered Entity shall implement written policies and procedures designed to ensure the security of Information Systems and Nonpublic Information that are accessible to, or held by, third parties doing business with the Covered Entity.
Multi-Factor Authentication. Each Covered Entity shall require Multi-Factor Authentication for any individual in order to access the internal systems or data from an external network; to access web applications that capture, display or interface with Nonpublic Information, and to support Multi-Factor Authentication for any individual accessing web applications that capture, display or interface with Nonpublic Information.
Limitations on Data Retention. Each Covered Entity shall include policies and procedures for the timely destruction of any Nonpublic Information identified no longer necessary for the provision of the products or services.
Training and Monitoring. Each Covered Entity shall implement risk-based policies, procedures and controls designed to monitor the activity of Authorized Users and detect unauthorized access or use of, or tampering with, Nonpublic Information by such Authorized Users as well as require all personnel to attend regular cybersecurity awareness training sessions
Encryption of Nonpublic Information. Each Covered Entity shall encrypt all Nonpublic Information held or transmitted by the Covered Entity both in transit and at rest, where feasible.
Incident Response Plan. Each Covered Entity shall establish a written incident response plan designed to promptly respond to, and recover from, any Cybersecurity Event affecting the confidentiality, integrity or availability of the Covered Entity’s Information Systems or the continuing functionality of any aspect of the Covered Entity’s business.
Notices to Superintendent. Each Covered Entity shall notify the superintendent of any Cybersecurity Event that has a reasonable likelihood of materially affecting the normal operation of the Covered Entity or that affects Nonpublic Information. The Covered Entity must notify the superintendent as promptly as possible but in no event later than 72 hours after becoming aware of such a Cybersecurity Event.
Read New York state’s proposal yourself: CYBERSECURITY REQUIREMENTS FOR FINANCIAL SERVICES COMPANIES [PDF]
“In order to meet the Jan. 1, 2017 effective date, Covered Entities should now begin assessing their cybersecurity risks, policies and procedures to develop or enhance their cybersecurity program and to begin documenting and tracking their compliance efforts,” says the Harvard Law School Forum on Corporate Governance and Financial Regulation.
We couldn’t agree more. And get in touch with us if you need clarification, advice, strategic counsel and/or cybersecurity expertise. We’re here to help.
NOTE 1: The term ’Nonpublic information’ encompasses far more than the previously defined term ’Personal Information.’ According to Schlute, Roth and Zable “Most notably, the Proposed Regulation has several directives tied to ‘Nonpublic Information,’ and it defines that term broadly, including any information that would be considered nonpublic personal information under the Gramm-Leach-Bliley Act’s privacy rule (“GLBA Privacy Rule”). As a result, it captures far more data than what New York’s existing data protection law defines as “personal information.”[2] The requirement that “Nonpublic Information” be encrypted at rest (and not just in transit) may therefore be a significant burden on Covered Entities, as may the requirement that the Superintendent be notified of any ‘Cybersecurity Event’ that “affects” Nonpublic Information. Further, senior management must certify annually that the Covered Entity is in compliance.”
TBG Security is a leading provider of information security and risk management solutions for Fortune 100 and Fortune 500 companies. TBG designs and delivers cyber security solutions to work in harmony with existing operations. Companies depend on TBG services in areas including risk management, penetration testing, security policy development, security strategies for compliance, business continuity, network security, managed services, software and service integration and incident response.
For more information on how TBG Security can help your organization with your information security initiatives please visit https://tbgsecurity.com.