Revision to New York’s Proposed Cybersecurity Regulations Reflect Risk-Based Approach
This advisory is based on a Consumer Financial Services Law Monitor blog* entry posted January 3rd entitled, “New York Financial Regulator Revises Proposed Cybersecurity Regulation.” Our Financial Institutions Team would like to bring this topic to the attention of our audience as it directly impacts banks, regardless of size, as well as others in the financial services industry.
On December 28, 2016, the New York Department of Financial Services (“NY DFS”) released its highly anticipated revised cybersecurity rule. As we previously noted here, the proposed rule would require banks, insurance companies, and other financial services institutions to establish and maintain a cybersecurity program and to take other measures to protect against data breaches and cyber attacks.
The NY DFS original proposed rule, released on September 13, 2016, sparked widespread backlash from the banking industry, and the New York financial regulator received over 150 comment letters from affected parties, including banks, insurers, and money service businesses. Critics railed against the original proposed rule as being too strict and untenable as to certain specifics regarding cybersecurity programs, monitoring of third-party vendors, and appointing a chief information security officer.
In response, the NY DFS made a number of changes in the revised rule. Perhaps most favorable to financial institutions, money transmitters, insurance companies, and other covered entities is the NY DFS decision to provide more risk-based controls in the revised rule related to cybersecurity programs, penetration testing, vulnerability assessments, audit trails, access privileges, encryption, and multifactor authentication. The original proposed rule provided more prescriptive minimum rule-based controls that offered less flexibility for covered entities. The revised rule’s shift to more risk-based controls comports more closely with federal Gramm-Leach-Bliley Act requirements that the specific controls employed be in line with the size and sophistication of the regulated entity.
Other notable changes in the revised rule include:
- Requiring that risk assessments be performed “periodically” rather than annually as mandated in the original proposed rule;
- Requiring that the company’s cybersecurity plan be reviewed and approved by either a senior officer or the board of directors, and not both as called for in the original proposed rule;
- Creating a “limited” small business exemption for covered entities that have fewer than 10 employees, less than $5 million in gross annual revenue, or under $10 million in year-end total assets;
- Clarifying that businesses only need to ensure that a particular individual is performing the duties of a chief information security officer, and that they don’t need to dedicate an employee exclusively to these activities;
- Allowing companies to forgo encrypting nonpublic information and to use a different control when it finds such encryption to be “infeasible”; and
- Narrowing the notification trigger by limiting required reporting to events that the business is already required to report to other regulators or supervisory bodies and that have “a reasonable likelihood of materially harming any material part of the normal operations” of the institution.
Even with the new changes, critics still may not be satisfied. For example, the NY DFS rejected a request from a number of commentators that the proposed rule should harmonize more closely with other standards, including state, federal, and international standards – both existing and proposed. In response to these criticisms, the NY DFS stated that it “has been continually mindful of other standards and approaches and believes that the revised regulation is appropriately consistent with the goal of setting minimum standards.” The revised rule will be finalized in January following a 30-day notice and public comment period, and will become effective on March 1, 2017.
*Members of our Consumer Financial Services and Cybersecurity, Information Governance, and Privacy teams authored the original blog post, including Ronald I. Raether, Jr., Mark C. Mao, and C. Reade Jacob, Jr.
Visit our Consumer Financial Services Law Monitor here.
© TROUTMAN SANDERS LLP. ADVERTISING MATERIAL. These materials are to inform you of developments that may affect your business and are not to be considered legal advice, nor do they create a lawyer-client relationship. Information on previous case results does not guarantee a similar future result.