We previously reported on the New York Department of Financial Services’ proposed cybersecurity regulations. During the public comment period, the DFS received over 150 comments. In response, the DFS announced on December 28, 2016, that it had revised the proposed regulations and delayed their effective date two months. On February 16, 2017, the DFS confirmed the final regulations will take effect March 1, 2017, with required compliance 180 days thereafter (August 28, 2017). These regulations apply not only to property casualty insurers licensed in New York, but also to many of their commercial policyholders and insured vendors subject to DFS regulatory authority.
During the comment period, many small and medium-sized companies were particularly active in expressing their objection to the “one size fits all” approach of the original proposed regulations. DFS attempted to address these concerns in the revised regulations by making an organization’s design for its cybersecurity program dependent on the outcome of that organization’s risk assessment. A risk assessment would be required periodically, as opposed to annually, as originally proposed by the DFS. In the revised regulations, an organization’s risk assessment drives many additional aspects of the cybersecurity program, including audit trails, access privileges, and multi-factor authentication. Additionally, whether an entity is exempt is now defined by the number of employees and independent contractors (fewer than 10), rather than the number of customers, in addition to retaining the original proposal’s gross revenue and total asset exemptions. While small and medium-sized companies can employ the use of a third party service provider for some assistance (i.e., being the company’s designated CISO or providing its cybersecurity personnel), the burden of overseeing these providers and compliance with the regulations’ requirements will still largely fall to the company’s compliance and IT personnel.
In the revised regulations, the definition of “nonpublic information” is also narrower than originally proposed. The revised definition of “nonpublic information” is more in line with the relevant definitions in other breach notification statutes. The encryption requirements for nonpublic information are also scaled back in the revised regulations. The revised regulation no longer requires companies to encrypt all nonpublic information in all circumstances to protect information at rest or in transit. Instead, the regulations require the implementation of “compensating controls,” which may (but do not necessarily) include encryption depending on the risk assessment.
Additional key revisions include:
- Notice Requirements: Notice of a cybersecurity event was modified to those events which the entity must report to any government body or self-regulatory or supervisory body, and those events that have a reasonable likelihood of materially harming any material part of the normal operations of the entity. This revision removes the original proposal’s requirement to report any potential unauthorized tampering with or access to or use of nonpublic information. Notice must still be made to the DFS within 72 hours or less.
- Clarity on Third Party Service Provider(s): The original proposal left this phrase undefined, where the revised regulations define it as a person that: (i) is not an affiliate of the entity; (ii) provides services to the entity; and (iii) maintains, processes or otherwise is permitted access to nonpublic information through its provision of services to the entity.
- CISO: Cybersecurity reports are to be submitted at least annually, as opposed to the original proposal which required at least bi-annual reporting.
- Confidentiality: Information provided to the DFS under the revised regulations is exempt from disclosure.