August 17, 2017
The 180-day transitional period under the New York Department of Financial Services (NYDFS) Cybersecurity Requirements for Financial Services Companies is set to expire Aug. 28, 2017. Financial services companies must achieve compliance with the cybersecurity regulations prior to this deadline or face substantial monetary penalties and reputational harm.
Cybersecurity Regulation Overview
The cybersecurity regulations became effective March 1, 2017. In its official introduction to the regulations (23 NYCRR 500), NYDFS observed that the financial services industry has become a significant target of cybersecurity threats and that cybercriminals can cause large financial losses for both financial institutions and their customers whose private information may be stolen for illicit purposes. Given the seriousness of this risk, NYDFS determined that certain regulatory minimum standards were warranted but avoided being overly prescriptive, to allow cybersecurity programs to match the relevant risks and keep pace with technological advances.
The cybersecurity regulations require each financial services company regulated by NYDFS to assess its specific risk profile and design a program that addresses its risks in a robust fashion. The required risk assessment, however, is not intended to permit a cost-benefit analysis of acceptable losses where an institution faces cybersecurity risks. Senior management must be responsible for an organization’s cybersecurity program and file an annual certification confirming compliance with the regulations. A regulated entity’s cybersecurity program must ensure the safety and soundness of the institution and protect its customers.
NYDFS has issued a clear warning of its intent to pursue strong enforcement of the cybersecurity regulations: “It is critical for all regulated institutions that have not yet done so to move swiftly and urgently to adopt a cybersecurity program and for all regulated entities to be subject to minimum standards with respect to their programs. The number of cyber events has been steadily increasing and estimates of potential risk to our financial services industry are stark. Adoption of the program outlined in these regulations is a priority for New York State.”
Who’s Affected?
The cybersecurity regulation applies to any organization operating under, or required to operate under, an NYDFS license, registration, charter, certificate, permit, accreditation, or similar authorization under the New York Banking Law, Insurance Law or Financial Services Law. Entities regulated by NYDFS include the following:
Required Actions
Financial services companies that are subject to the cybersecurity regulations must take the following actions by Aug. 28, 2017.
Although the cybersecurity regulations do not require the risk assessment to be completed until March 1, 2018, the risk assessment is a critical component of an effective cybersecurity program. As of March 1, 2018, a company’s cybersecurity program, policies, penetration testing and vulnerability assessments, access privileges, authentication controls and cybersecurity awareness training all must consider the results of this risk assessment, and the company must make periodic updates to each as appropriate. NYDFS recognized, however, that in some cases there may be updates and revisions to a company’s cybersecurity program that incorporate the results of a risk assessment conducted after the Aug. 28, 2017, deadline.
Limited Exemptions
A limited exemption from some (but not all) requirements of the cybersecurity regulations is available to financial services companies with (1) fewer than 10 employees and independent contractors who are located in New York or are otherwise responsible for the company’s business in New York; (2) less than $5 million in gross annual revenue for each of the last three fiscal years from New York business operations; or (3) less than $10 million in year-end total assets. Companies that determine they qualify for this limited exemption should file a notice of exemption by Sept. 27, 2017.
Enforcement and Penalties
The cybersecurity regulations do not specifically detail any potential penalties or the impact of noncompliance. Instead, they “will be enforced by the superintendent [of NYDFS] pursuant to, and [are] not intended to limit, the superintendent’s authority under any applicable laws.” In its assessment of public comments prior to final promulgation of the cybersecurity regulations, NYDFS noted that although “[s]ome commenters offered suggestions for more-specific enforcement-related provisions … [t]he Department did not make any revisions in response to those suggestions because it believes that the current Enforcement section … is sufficient.”
Enforcement actions most likely would arise pursuant to the general authority of NYDFS under the New York Banking Law, which authorizes the superintendent of NYDFS to require a regulated entity to pay a penalty “for any violation of this chapter [or] any regulation promulgated thereunder” (which would include the cybersecurity regulations). Penalties pursuant to the New York Banking Law are authorized up to (a) $2,500 per day during which a violation continues, (b) $15,000 per day in the event of any reckless or unsound practice or pattern of misconduct, or (c) $75,000 per day in the event of a knowing and willful violation.
Future Compliance Deadlines
The cybersecurity rule provides an additional transitional period for financial service companies to achieve compliance with its remaining requirements, with rolling deadlines on Feb. 15, March 1 and Sept. 3, 2018; and March 1, 2019. Financial services companies subject to the cybersecurity regulations must take the following actions by the applicable compliance deadline:
For additional information regarding these requirements and other data privacy and security news and trends visit our blog, Password Protected.