2 March 2017
The New York Department of Financial Services’ (‘NYDFS’) Cybersecurity Requirements for Financial Services Companies, codified under 23 N.Y.C.R.R. Part 500 (‘the Final Rule’), became effective on 1 March 2017, introducing significant revisions to the initial proposal issued by the NYDFS in September 2016. The Final Rule requires banks, insurance companies and other financial services institutions that are subject to regulation by the NYDFS (‘Covered Entities’) to establish and maintain a comprehensive cybersecurity programme that has to be compliant not only with explicit technical standards but also with detailed governance, data management, incident planning, system testing, and data incident reporting requirements.
Lisa Sotto, Partner at Hunton & Williams LLP, told DataGuidance, “The Final Rule represents a sea change for covered financial institutions [and] creates a significant compliance burden. [It] will serve as a de facto national standard, because bank systems do not operate solely within state boundaries and information cannot be confined to state borders. [Further], the Final Rule is highly prescriptive and will require a significant amount of work, especially for small and medium-size financial services companies that often lack the wherewithal to develop and implement such a comprehensive information security programme.”
Small companies, ‘designees covered by another Covered Entity,’ ‘entities that do not possess or handle non-public information,’ and ‘captive insurance companies’ are exempted from the Final Rule’s requirements. However, the Final Rule extends beyond Covered Entities to regulate, to a certain degree, companies that provide services to NYDFS regulated entities.
[The Final Rule] will serve as a de facto national standard, because bank systems do not operate solely within state boundaries and information cannot be confined to state borders
Alex Lakatos and Matthew Bisanz, Partner and Associate at Mayer Brown LLP respectively, explained, “The Final Rule will affect businesses [outside of New York] in at least three ways. Firstly, the scope of the Final Rule is somewhat unclear, and out of state businesses will need to expend resources to determine if they are required to operate under ‘a license, registration, charter, certificate, permit, accreditation or similar authorisation’ from the NYDFS. Secondly, the Final Rule does not address how multi-state businesses should comply or how the Final Rule applies to a business based in another state. Thirdly, the Final Rule requires regulated institutions to implement policies applicable to third party service providers. The third party service provider policies will effectively compel [such] providers to satisfy the Final Rule with respect to services they provide to a Covered Entity.”
In relation to third party service providers, Covered Entities are required to implement policies and procedures designed to ensure the security of their information systems and non-public information that may be accessed or is held by such providers. The third party has to comply with such policies to enter into a business relationship with the Covered Entity. In particular, the policy should set minimum cybersecurity standards to be met by third parties, establish due diligence procedures evaluating the adequacy and continued adequacy of their security practices, as well as procedures to identify and assess the risk.
Sotto highlighted, “The service provider requirements are quite onerous. Covered Entities will need to reconsider how they manage their vendors and impose strict requirements based on the Final Rule. This likely means that some service providers will need to be ousted and replaced by others that have a tighter handle on their security practices. This provision will also change the landscape for service providers throughout the country to do business with a New York bank, they will need to conform their security practices to the Final Rule, even if they are located clear across the country.”
Even through the NYDFS removed some of the ‘scary’ language from the initial proposal, the Final Rule still effectively requires one or more senior executives or board members to put their name on the institution’s cybersecurity operations
Finally, an annual certificate demonstrating the cybersecurity programme’s compliance with the Final Rule has to be validated and submitted to the NYDFS’ Superintendent by the board of directors or a senior officer of the Covered Entity.
Lakatos and Bisanz concluded, “We believe the annual compliance certification will be the most burdensome to implement. Even though the NYDFS removed some of the ‘scary’ language from the initial proposal, the Final Rule still effectively requires one or more senior executives or board members to put their name on the Covered Entity’s cybersecurity operations. Much as we saw with the implementation of the Sarbanes-Oxley Act 2002, we expect that Covered Entities will implement certification waterfalls in which business line employees, compliance staff, and external consultants will be required to certify to their superiors that their functions comply with the Final Rule. The top-level signer will then rely on those sub-certifications.”
Although the Final Rule has taken effect, transition periods are provided. The first annual certification of compliance must be submitted to the NYDFS by 15 February 2018.
Agata Dziedzic | Privacy Analyst