New York Cracks Down on Cybersecurity Compliance

In 2021, the New York Department of Financial Services (NYDFS) is cracking down on companies that fail to comply with the Cybersecurity Regulations set forth in 23 NYCRR Part 500 by imposing millions of dollars in civil penalties. On June 8, 2021, NYDFS issued a series of frequently asked questions (FAQs) to provide guidance with respect to the Cybersecurity Regulations, which impose stringent requirements designed to protect information systems and nonpublic information stored on those systems. On June 30, 2021, NYDFS issued Ransomware Guidance on steps companies should take to prevent or mitigate the risk of a ransomware attack. In addition, NYDFS has encouraged cyber insurers to adopt a Cyber Insurance Risk Framework to measure and manage cyber risk and exposure due to the unprecedented rise and growing losses associated with cyber threats and systemic risk.

Part I. NYDFS Cybersecurity Regulations

Effective March 17, 2017, the NYDFS promulgated 23 NYCRR Part 500, setting forth comprehensive cybersecurity compliance requirements for all DFS-licensed Covered Entities that operate under New York Banking, Insurance or Financial Services laws. The Regulations were intended to “promote the protection of customer information as well as the information technology systems of regulated entities” in light of the growing threat of cybersecurity risks. Subject to limited exemptions, the Regulations required Covered Entities to implement an enterprise-wide Cybersecurity Program, policies and procedures to address and mitigate this risk.

On June 8, 2021, NYDFS issued guidance in the form of FAQs to address questions concerning compliance with the 23 NYCRR Part 500 Cybersecurity Regulations.

Entities Subject to NYDFS Cybersecurity Requirements
The Regulations apply generally to Covered Entities, which are defined to include organizations operating under a license or registration under the New York Banking Law, Insurance Law or Financial Services Law. The Regulations separately refer to Authorized Users and Third-Party Service Providers (TPSPs) that are authorized to access or use a Covered Entity’s information systems and data.

As recently observed by NYDFS, it is not uncommon for a single entity to wear multiple hats in various capacities. The FAQs cite the example of a DFS-licensed independent insurance agent that works with multiple insurance companies. The insurance agent is a Covered Entity in its own right and has an obligation to establish and maintain a Cybersecurity Program designed to protect the confidentiality, integrity and availability of its information systems and Nonpublic Information (NPI) stored on those systems, including sensitive personal data, health information or proprietary business information.

However, to the extent the insurance agent has access to NPI or information systems maintained by an insurance company, the agent wears the hat of a TPSP while the insurance carrier is the Covered Entity subject to compliance with the Cybersecurity Regulations.

Limited Exemptions to Compliance
The Regulations recognize certain limited exemptions for Covered Entities that may not be required to comply with all of the cybersecurity requirements set forth in 23 NYCRR Part 500.

The exemptions apply to a Covered Entity that satisfies one or more of the following criteria:

  • Has < 10 employees (including independent contractors) in the State of New York

  • Earns < $5 million in gross annual revenue in each of the last three (3) fiscal years from New York business operations

  • Earns < $10 million in year-end total assets.

If an entity claims an exemption, it must file a Notice of Exemption with the Department. Moreover, the Covered Entity must maintain data and documentation supporting the Notice of Exemption for a period of five (5) years.

Cybersecurity Requirements
Importantly, however, an exempt Covered Entity is still required to comply with many of the cybersecurity requirements, including, but not limited to, maintaining a Cybersecurity Program and policies, conducting a Risk Assessment and implementing a TPSP Security Policy, as summarized below.

Cybersecurity Program
23 NYCRR 500.02 requires Covered Entities to maintain a Cybersecurity Program designed to protect the confidentiality, integrity and availability of its Information Systems (IS) and NPI stored on its systems. The Cybersecurity Program should be designed to address the following functions: (1) identify and assess internal and external cybersecurity risks, (2) implement policies and procedures to protect IS and NPI, (3) detect Cybersecurity Events, and (4) recover and restore data after Cybersecurity Events.

Cybersecurity Policies
Pursuant to 23 NYCRR 500.03, each Covered Entity must implement and maintain written policies and procedures for the protection of IS and NPI, as approved by a senior officer or the board of directors.

These policies should address the following issues to the extent applicable:

  • Information security

  • Data governance and classification

  • Asset inventory and device management

  • Access controls and identity management

  • Business continuity and disaster recovery

  • Systems network security and network monitoring

  • Systems and application development and quality assurance

  • Physical security and environmental controls

  • Customer data privacy

  • TPSP management

  • Risk assessment

  • Incident response.

Risk Assessment
23 NYCRR 500.09 states that Covered Entities shall conduct a periodic Risk Assessment of their IS to identify threats to its business operations related to cybersecurity, NPI stored on its systems and the effectiveness of controls to protect this information.

Third-Party Service Provider Security Policy
Pursuant to 23 NYCRR 500.11, a Covered Entity shall implement written policies and procedures designed to ensure security of IS and NPI that are accessible by its TPSPs.

These policies should address the following cybersecurity controls for the TPSP:

  • Identification and risk assessment of the TPSP

  • Minimum cybersecurity practices required to be met by the TPSP
    • Due diligence processes used to evaluate the adequacy of cybersecurity practices of the TPSP

  • Access controls and use of multifactor authentication (MFA) by the TPSP

  • Encryption of NPI in transit and at rest by the TPSP

  • Notice by the TPSP to the Covered Entity of a Cybersecurity Event

  • Representations and warranties by the TPSP related to security of Information Systems and NPI

Notice to NYDFS of Cybersecurity Event
Moreover, no Covered Entities are exempt from providing NYDFS with notice of a Cybersecurity Event, which is defined as “any actor or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an Information System or information stored on such Information System.”

Pursuant to 23 NYCRR 500.17, a Covered Entity must notify NYDFS within 72 hours from a determination that a Cybersecurity Event has occurred that is either of the following:

  • A Cybersecurity Event for which the Covered Entity is required to notify any (other) regulator

  • A Cybersecurity Event that has a reasonable likelihood of materially harming any material part of the normal operations of the Covered Entity.

As explained in the NYDFS’s recent guidance and FAQs published in June 2021, even “unsuccessful attacks” may be subject to notice:

Covered Entities are requested to notify the Department of those unsuccessful attacks that appear particularly significant based on the Covered Entity’s understanding of the risks it faces. For example, in making a judgment as to whether a particular unsuccessful attack should be reported, a Covered Entity might consider whether handling the attack required measures or resources well beyond those ordinarily used by the Covered Entity, like exceptional attention by senior personnel or the adoption of extraordinary or nonroutine precautionary steps.

Notice to NYDFS is in addition to any other notification obligations a Covered Entity may have under New York’s data breach notification law or any similar laws.

Certification of Compliance
Pursuant to the regulations, a Covered Entity is required to submit a written statement to NYDFS each year certifying compliance with the requirements of 23 NYCRR 500. The Covered Entity also must maintain supporting documentation for a period of five (5) years for examination by the regulator. As further explained in its recent guidance and FAQs:

The Department expects full compliance with this regulation. A Covered Entity may not submit a certification under 23 NYCRR 500.17(b) unless the Covered Entity is in compliance with all applicable requirements of Part 500 as of December 31 of the previous calendar year. READ MORE AND SOURCE

Advisor Armor