Adam J. Fleisher and Nathan D. Taylor
Banking + Financial Services, Financial Institutions + Financial Services, Privacy + Data Security, Financial Services, Financial Services Litigation, and Financial Services Enforcement
On December 28, 2016, the New York State Department of Financial Services (NYDFS) released a significantly revised version of its controversial, proposed cybersecurity rules, initially proposed in September of last year. As we noted in our Client Alert at that time, the rules as originally proposed would have created one of the most comprehensive and detailed cybersecurity standards in the country, and would have created significant compliance and implementation challenges. As a result, the original proposal generated significant industry outcry, calling into question, among other things, the original proposal’s workability. Like the original proposal, the revised proposal would apply to any person “operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under” New York banking, insurance and financial services law, including, for example, commercial banks, foreign banks with New York State-licensed offices, mortgage brokers and servicers, small-loan lenders, and money transmitters doing business in New York. The comment period regarding the revised proposal closes on January 27, 2017.
The revised proposal includes extensive changes that would narrow the proposal and make it less prescriptive in some respects. While the proposal has been significantly reworked, covered financial institutions still will face challenges in putting in place the type of comprehensive cybersecurity program and security controls that would be required if the proposal is finalized as revised. This will be particularly true for those covered financial institutions that historically have not been subject to scrutiny on their cyber practices or that do not have mature cybersecurity processes and controls in place.
Consistent with the original proposal, the revised proposal would require covered financial institutions to put in place controls designed to protect “nonpublic information” and the information systems that handle that “nonpublic information.” Nonetheless, the NYDFS has made changes that would narrow the scope of the requirements contemplated under the revised proposal:
In addition, as we noted in our previous Client Alert, the prescriptive nature of the original proposal would have been unworkable in some respects, such as requiring a covered financial institution to encrypt all types of customer information at rest and in transit. With this revised proposal, many of the controls that would be required would be more flexible and risk-based, although questions remain about the specific expectations of the NYDFS.
The NYDFS also added several new provisions, including a provision that would require that “[a]ll documentation and information relevant to the Covered Entity’s cybersecurity program . . . be made available to [the NYDFS] upon request.” This provision apparently is intended to reinforce examination authority on these issues. It should be noted that the NYDFS also has proposed adding a confidentiality provision affirming that information provided under these regulations would be exempt from disclosure consistent with the exemptions under existing applicable laws, such as New York banking law.
Finally, the NYDFS retained the board of directors annual certification of compliance provision in its original form. Nonetheless, the revised proposal would provide additional time to comply with many of the proposal’s requirements. If adopted as proposed, the revised regulations would become effective on March 1, 2017, with the first annual certification of compliance due on February 15, 2018. And, while it begins 180 days from the effective date, the phased compliance period extends as follows: (1) one year from the effective date for certain requirements, including penetration testing, the risk assessment, multifactor authentication and general cybersecurity awareness training; (2) 18 months from the effective date for certain requirements, including the audit trail, application security, data retention practices and monitoring authorized user activity to detect unauthorized access; and (3) two years for the requirements relating to third-party service providers. The extended compliance dates are a positive change. One potential issue, however, is how covered entities will reconcile the one-year compliance date for the risk assessment with the 180-day compliance date for obligations, such as the written cybersecurity program, that must be informed by the risk assessment.
The revised regulations are subject to a 30-day comment period that began on December 28, the date the proposal was published in the New York State Register. At the end of this comment period, the NYDFS is expected to publish final regulations. As the NYDFS noted in the press release accompanying the revised regulations, it will “focus its final review on any new comments that were not previously raised in the original comment process.” Nonetheless, in light of the likely implementation of these complex rules, financial institutions that would be covered should consider both their compliance position and whether to submit comments.
©1996-2019 Morrison & Foerster LLP. All rights reserved.