New York State’s Department of Financial Services (DFS) has just released its revised first-in-nation proposed cybersecurity regulation. In formulating the revised proposal, DFS took into account the more than 150 comments it received with regard to its original proposal, which was released in September 2016. Although the new proposal maintains many of the requirements of the initial proposal, such as the requirements for a Cybersecurity Program, a written Cybersecurity Policy, and the designation of an individual responsible for the program’s implementation and oversight, the new proposal differs in a number of very significant ways, highlighted below:
- DFS has retreated from the prescriptive approach it took in its original proposal. Under the new proposal, an entity’s Cybersecurity Program “shall be based on the Covered Entity’s Risk Assessment.”
- DFS has deleted the requirements to identify the Covered Nonpublic Information stored by the Covered Entity and to identify its sensitivity.
- There is a new requirement to address “asset inventory and device management” in the Cybersecurity Policy, while the requirement to address “capacity and performance planning” has been eliminated.
- The Cybersecurity Policy must be approved by a Senior Officer or by the Board of Directors, but the requirement for annual review by the board or a senior officer has been dropped.
- The CISO now shall report in writing to the board at least annually. The earlier proposal would have required the CISO to present at least bi-annually to the board. The required CISO Report now should be risk-based.
- Annual penetration testing is required “absent monitoring, or other systems to detect, on an ongoing basis” changes that may create vulnerabilities.
- The Audit Trail requirements are significantly scaled back. Now, systems should be based on a risk assessment and designed to “reconstruct material financial transactions sufficient to support normal operations” and “detect and respond to Cybersecurity Events that have a reasonable likelihood of materially harming and material part of” normal operations.
- Risk Assessments should be conducted periodically, instead of “at least annually.”
- A Third Party Service Provider Security Policy is still required, but shall be based on the Covered Entity’s Risk Assessment. Periodic assessment of Third Party Service Providers should be based on the risk they present. The requirement for the provision of identity protection services to customers materially affected by a third party breach was deleted, and the required representations and warranties from Third Parties were considerably reduced.
- Instead of requiring Multi-Factor Authentication (MFA) for access from external systems, the new proposal permits the use of “reasonably equivalent or more secure access controls” if approved in writing by the CISO. The MFA requirement for internal access to Nonpublic Information was deleted. Based on its Risk Assessment, a Covered Entity now must use “effective controls, which may include MFA or Risk-Based Authentication, to protect against unauthorized access to Nonpublic Information or Information Systems.”
- The initial proposal’s broad encryption requirements have been replaced. Under the new proposal, if a Covered Entity determines that encryption of Nonpublic Information in transit or at rest is infeasible, it may use “alternative compensating controls reviewed and approved the Covered Entity’s CISO.” Decisions to utilize compensating controls must be reviewed at least annually.
- Incident Response Plans now relate only to any Cybersecurity Event “materially affecting” the Covered Entity’s Information Systems or its continuing functionality.
- The required Certification of Compliance now allows Covered Entities to identify “areas, systems or processes that require material improvement, updating or redesign,” but requires documentation of the planned and in-process remedial efforts. The requirement for certification by the board or a Senior Officer was retained.
- Staggered deadlines of one year, 18 months, and two years are indicated for various requirements within the overall regulation. For example, a one-year deadline applies to the CISO Report requirement, an 18-month deadline applies to the Audit Trail provisions and a two-year deadline applies to the Third Party Service Provider Security Policy requirement.
- The new proposal includes Confidentiality exemptions under the existing federal and state law for information provided by Covered Entities.
While the proposed regulation is subject to a final 30-day comment period, DFS has made clear that its final review will focus only on issues that were not raised in response to the first proposal. The regulation is due to go into effect on March 1, 2017.
Although some of the more controversial requirements of the initial proposed regulation have been scaled back or deleted, the new proposal is likely to present challenges for many entities. Given the relatively short deadlines for compliance, Covered Entities are urged to take DFS’s advice to “swiftly and urgently” take action.