Why the new rules in New York are important to businesses everywhere
By Shawn E. Tuma
Boards of directors must actively oversee cybersecurity, with the chairman or senior officer certifying compliance, according to a new regulation in New York that will impact companies worldwide.
The cybersecurity threat to companies is ubiquitous and no industry or region is immune. Recognizing the seriousness of this risk, the New York State Department of Financial Services, or NYDFS, developed Cybersecurity Requirements for Financial Services Companies, which became effective March 1, 2017.
The new law contains multiple requirements for direct board involvement in dealing with the cybersecurity of companies regulated by the NYDFS (covered entities) in addition to those companies that are third-party service providers for covered entities. Specifically, the board is required to take responsibility for the overall cybersecurity program, review and approve its company’s policy, obtain reports from the chief information security officer at least annually, and either the board’s chairman or a senior officer must sign a written certification of compliance with the regulations on an annual basis. Those who sign off on these certifications, and their companies, must take these seriously as the NYDFS has broad authority to investigate both civil and criminal matters that fall within its scope of authority.
Overview of the cybersecurity regulations
The NYDFS’ goal is to promote the protection of customer information and the information technology systems of businesses by establishing certain minimum standards for businesses to adhere to but not be overly prescriptive so that cybersecurity programs can match the relevant risks and keep pace with technological advances. This is directed at protecting companies’ information systems and non-public information, both of which are specifically defined.
The cybersecurity regulations provide an outline of essential minimum standards for businesses to implement, designate who in the organization should be appointed to lead the process, and mandate top-down buy-in to the process by management and the board of directors. In general, they require three key things:
1. each company must assess its specific risk profile and design a program that addresses its risks in a robust fashion, develop policies, procedures, and training for personnel to address such risks and respond to incidents;
2. each company must designate a qualified individual to serve as its chief information security officer, responsible for overseeing and implementing its cybersecurity program, reporting on its cybersecurity program, and notifying the NYDFS of any material incidents; and
3. each company’s senior management must be responsible for its cybersecurity program and file an annual certification, confirming compliance with the cybersecurity regulations or certify that it meets the criteria to be exempt.
The specific requirements of the NYDFS’ regulations are designed to improve companies’ cybersecurity through a combination of technological policydriven measures. These include data governance and classification, access controls and identity management, systems and network security, penetration testing and vulnerability assessments, audit trail systems, access privileges, application security, adequate cybersecurity professionals, multifactor authentication, data retention policies, training and monitoring of authorized users, and encryption of nonpublic information, both in transit and at rest.
Global impact of cybersecurity regulations
Businesses in all industries across the U.S. and abroad will likely be impacted by the regulations, despite being a product of New York law directed at businesses regulated by the Department of Financial Services. There are two reasons for this. First, the vast breadth of businesses that fall within the NYDFS’ authority includes those in New York such as banks, insurance companies, and other financial institutions. Second, the cybersecurity regulations require that such businesses contractually obligate third parties that they do business with to comply with provisions of the cybersecurity regulations. Because so many companies do business with companies related to the New York financial services industry, the reach will be global.
Impact on companies that
are directly regulated
The NYDFS cybersecurity regulations apply to what they define as covered entities: “any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation, or similar authorization under the banking law, the insurance law, or the financial services law.” Put simply, a covered entity is any entity regulated by the NYDFS and may include bail bond agents, charitable foundations, and service contract providers among others.
Covered entities that meet the following criteria are exempted from some of the requirements of the regulations, although most are still required:
• have fewer than 10 employees, including any independent contractors;
• have less than $5 million in gross revenue in each of the last three fiscal years; and
• have less than $10 million in year-end assets—these entities are exempted from some, but not all, requirements of the regulations.
Impact on companies that
are indirectly regulated
Section 500.11 of the regulations specifically addresses the cybersecurity of third parties and requires covered entities to obtain satisfactory assurances that those they do business with have adequate cybersecurity safeguards. One of the objectives of the cybersecurity regulations, as well as most other cybersecurity and privacy policies and frameworks, is to protect the confidentiality, integrity, and accessibility of the information and computer systems. This requires protecting the information always, wherever it may be and with whoever may have possession of it.
The NYDFS’ goal is to promote the protection of customer information and the information technology systems of businesses by establishing certain minimum standards for businesses to adhere to but not be overly prescriptive so that cybersecurity programs can match the relevant risks and keep pace with technological advances.
This also requires having protections in place for all systems that will interact with the covered entity’s network. This is the same method that is used under the Health Insurance Portability and Accountability Act, or HIPAA, for protecting health information that is transferred from a covered entity under that framework to a business associate. Essentially, this means that third-party business partners are becoming business associates.
The cybersecurity regulations decree that a covered entity’s chief information security officer requires the third-party service provider to maintain a cybersecurity program that meets the requirements of the cybersecurity regulations. It further requires the covered entity to implement written policies and procedures designed to ensure the security of information systems and non-public information that are accessible to, or held by, third parties doing business with the covered entity. The regulations make it a requirement for their contracts via contractual provisions and/or guidelines addressing cybersecurity. They do not include an exception from some of the requirements for smaller third-party service providers, like those for smaller covered entities.
What do the cybersecurity regulations
mean for all companies?
Many businesses already have relatively mature cybersecurity programs in place, and for those businesses, the cybersecurity regulations may not have too great of an impact. Many businesses, however, do not have such programs and are lost in the wilderness of confusion in determining what they should be doing and how they should be doing it. For those businesses, the regulations should provide a basic guide to help them develop and implement an appropriate cybersecurity program.
Non-NYDFS regulated businesses that do business with regulated entities and have access to or hold non-public information of covered entities or their information systems (third-party service providers) will be subject to certain mandatory requirements to ensure the covered entities’ non-public information and information systems remain adequately protected. Covered entities will be required to develop preferred contract provisions for such third-party service providers that permit the covered entity to assess their cybersecurity posture, require they implement specific cybersecurity measures to protect the nonpublic information and information systems, establish notification and remediation requirements in case of a cybersecurity incident, and allocate who pays the costs for such an incident. TBJ
Copyright © 2017 by Ethical Boardroom strictly reserved. No parts of this material may be reproduced in any form without the written permission of Ethical Boardroom. This article has been edited and reprinted with permission.
SHAWN E. TUMA is a cybersecurity lawyer who helps solve problems with issues involving cybersecurity, data privacy, computer fraud, and intellectual property law. Tuma is a frequent author and speaker on these issues and has used social media to help build his practice. He is a partner in Scheef & Stone, a fullservice commercial law firm in Texas that represents businesses of all sizes throughout the United States and, through its Mackrell International network, throughout the world.