New York Department of Financial Services to Soon Require Extensive Cybersecurity Program

December 6, 2016

Under proposed regulations by the New York Department of Financial Services (“DFS”), covered entities that are subject to DFS oversight, including banks, insurance companies and other financial institutions, may have approximately 30 days to establish and maintain an extensive cybersecurity program. The proposed regulations, which have yet to be adopted, are scheduled to become effective January 1, 2017, with an additional 180-day transitional period.

With limited exceptions for smaller companies, which may be exempt from certain requirements, covered entities are required to have written policies and procedures designed to ensure the confidentiality, integrity and availability of their information systems.

Specifically, the proposed regulations list 14 aspects of cybersecurity that a covered entity’s policies and procedures should address, including data governance, system and network security and monitoring, and customer data privacy. In addition, the proposed regulations require, among other things:

  • Annual penetration testing and risk assessment of a covered entity’s information systems
  • Quarterly vulnerability assessment of a covered entity’s information systems
  • Implementation of audit trail systems
  • Limitation of access privileges
  • Cybersecurity awareness training for all employees;
  • Establishment of written incident response plan;
  • Establishment of policies regarding third party information access
  • Establishment of document retention policy
  • Implementation of Multi-Factor Authentication
  • Encryption of Nonpublic information
  • Annual compliance certification to the DFS

Six Cybersecurity Considerations for 2017

In order to ensure that your company is in compliance with the proposed regulations before the New Year, you should consider (and likely adopt) the following steps:

  1. Policies and Procedures: Companies should review their current cybersecurity program with their chief technology officer or information technology provider to ascertain whether the company is currently compliant with the proposed regulations. Early planning with your IT team is vital since you may be required to be compliant by June 2017. A review at this time is also essential because your company’s risk profile may have changed. For instance, the ability to be hacked, lose data, or be subjected to ransomware has increased dramatically during the last year, and bad actors will continue to become more sophisticated. It is likely that any policy and procedure should be improved, even if not part of the proposed regulations.
     
  2. Assessment of Class Action Risk: Companies should assess their exposure to litigation, including customer class action lawsuits, should an information breach take place. Planning prior to a cyber attack can also put your company in a better position to respond to the public and mitigate reputational damage. Proper planning should include the development of response systems that can be quickly implemented; and areview of your current data retention systems to ensure that litigation discovery demands can be handled efficiently, without derailing executive focus on commercial issues.
     
  3. Finalizing Budget: Increased cybersecurity regulations and heightened customer awareness about cybersecurity issues make investing in up-to-date technology and processes crucial. Companies should assess whether their current technology budget is adequate and consider what investments will be required in 2017 to keep up with regulatory and market expectations.
     
  4. Cybersecurity Insurance Coverage: Companies should review and assess the adequacy of insurance policies with respect to coverages, deductibles and other limitations related to cybersecurity breaches and attacks. The coverage and policy language should be carefully considered so that you can adequately address the risks that you need to shift to the insurance company. Our partner, Alan Lyons’ New York Law Journal article, “Finding the Right Level of Cyber Insurance Protection,” details many of the key concerns involved in purchasing and reviewing cyber insurance coverage.  
     
  5. Designate (or confirm) a Chief Information Security Officer: The proposed regulations require that covered entities designate a chief information security officer, or CISO, who is responsible for overseeing and implementing a cybersecurity program. A company’s CISO can also streamline the proposed regulations compliance process.
     
  6. Establish Cybersecurity Training: Companies should establish cybersecurity training as part of the company’s annual compliance training, as part of new employee onboarding procedures, and through required additional periodic training.

The next 30 days are important to make sure that your cyber risk profile is appropriately assessed, managed and mitigated. Herrick lawyers can help establish and maintain a cybersecurity program that complies with DFS requirements, including drafting or updating your policies and procedures, providing employee training, preparing an incident response plan, and helping you and your CISO navigate the proposed regulations. For more information contact:

Ronald J. Levine at + 212 592 1424 or [email protected]
Richard M. Morris at + 212 592 1432 or [email protected]
Barry Werbin at + 212 592 1418 or [email protected]
Erica L. Markowitz at + 212 592 5953 or [email protected]

© 2016 Herrick, Feinstein LLP. This alert is provided by Herrick, Feinstein LLP to keep its clients and other interested parties informed of current legal developments that may affect or otherwise be of interest to them. The information is not intended as legal advice or legal opinion and should not be construed as such.