Herrick and BDO Consulting Seminar: New York DFS Cyber Security Regulation – The New Normal

March 28, 2017
Herrick, Feinstein LLP

2 Park Avenue

New York City

The New York Department of Financial Services’ new sweeping cyber security regulations are now in effect. They will significantly impact banks, insurance companies and other financial institutions by requiring enhanced cyber security policies and procedures. Companies have six months to comply with the new regulations, so time is of the essence to get cyber security policies in order. The regulations also impact a professionals’ fiduciary duties. Herrick and BDO Consulting hosted a critical and timely discussion on how to manage and navigate this new regulatory environment and ensure compliance.

Valuable takeaways for executives:

  • The new DFS regulation is groundbreaking in scope, in its level of prescription and accountability. New York will be deemed the leader but regulators are likely to look to the DFS regulation as a minimum standard for cyber security.
  • While there are exemptions, most are limited and pertain primarily to small entities. Even though an organization falls within a limited exemption, it must still comply with many of the key requirements of the regulation and will be required to go through periodic processes to re-affirm they qualify for exemptions.
  • Board members and senior management are now responsible for cyber security. Under the regulation, a member of the board or senior officer must personally certify compliance on an annual basis.
  • Non-exempt covered entities need a Chief Information Security Officer (“CISO”). While you can elect to outsource the CISO role to a third party, you cannot outsource responsibility for oversight or accountability as DFS requires that someone within the company oversee the CISO. You cannot delegate your obligation.
  • DFS has broad authority to bring enforcement actions for noncompliance, and while it is still unclear what enforcement profile the DFS will elect to adopt, possible remedies may include fines, license revocation, and/or the engagement of an independent monitor, among others.
  • Liability will extend beyond the DFS. A cyber event that causes a loss to your clients or business will expose you to possible class action and other litigation and claims. Organizations need to prepare their records and documentation for the inevitable cyber event, including a robust response plan.
  • Look at third-party service providers as an extension of your own organization. The regulation requires companies to vet and manage service providers that access or control nonpublic information. A risk assessment should be undertaken to ensure all service providers are in compliance with your policies – your policies should take precedence.
  • Consider cyber insurance, but make sure it covers your company’s unique cyber risk profile. Look for coverage for regulatory fines and for security incidents for data controlled by service provides. Require third-party service providers carry their own cyber insurance and make sure their coverage will apply if there is a breach involving data in their possession. In addition, check levels of D&O coverage in light of the new responsibilities imposed by the DFS.
  • Add “notify your insurance carriers” to your incident response plan. Insurance may not be top of mind when a security event takes place but most cyber insurance policies require prior consent of the insurer before you incur any expenses in connection with the event.
  • Organizations should comply prior to the compliance date. Compliance obligations exist now because of your fiduciary duties. You cannot look to a client and note that a breach occurred prior to the compliance date and expect that will assuage their response.