author photo
By Shawn E. Tuma
Mon | Oct 24, 2016 | 12:00 AM PDT

Note: This is the first post in a multi-part series about compliance with the New York Department of Financial Services Cybersecurity Regulations for businesses in and out of New York and the financial services industry. Overall, this series will serve as a guide for understanding how the NYDFS Cybersecurity Regulations will likely impact your business.  

The cybersecurity threat is ubiquitous and no industry or region is immune from the risks it poses. Recognizing the seriousness of this risk, the New York Department of Financial Services developed Proposed Cybersecurity Requirements for Financial Services Companies (the “Cybersecurity Regulations”) that were released for comment on September 13, 2016. The Cybersecurity Regulations go into effect on January 1, 2017, and full enforcement begins on July 1, 2017.

Which Companies will be Impacted?

Businesses in all industries across the United States and abroad will likely be impacted by the Cybersecurity Regulations despite their being a product of New York law directed at businesses regulated by the Department of Financial Services. This is because of the vast breadth of businesses that fall within its authority, which includes all businesses registered in New York, and the Cybersecurity Regulations’ requirement that covered entities contractually obligate third parties that they do business with to comply with provisions of the Cybersecurity Regulations.

Many businesses already have relatively mature cybersecurity programs in place and for those businesses, the Cybersecurity Regulations may not have too great of an impact. Many businesses, however, do not have such programs and are lost in the wilderness of confusion in determining what they should be doing and how they should be doing it. For those businesses, the Cybersecurity Regulations should provide a basic guide to help them develop and implement an appropriate cybersecurity program.

What Do the Cybersecurity Regulations Require?

The NYDFS’ goal was to promote the protection of customer information and the information technology systems of businesses by establishing certain minimum standards for business to adhere to but not be overly prescriptive so that cybersecurity programs can match the relevant risks and keep pace with technological advances.

Generally, the Cybersecurity Regulations focus on three key goals that cybersecurity experts have regularly identified as being crucial to improving businesses’ cybersecurity posture. They provide an outline of essential minimum standards for businesses to implement, designate who in the organization should be appointed to lead the process, and mandate top down buy-in to the process by management and the Board of Directors. They do this by requiring 3 key things:

1.  Each company must assess its specific risk profile and design a program that addresses its risks in a robust fashion.

2.  Each company must designate a qualified individual to serve as its Chief Information Security Officer responsible for overseeing and implementing its cybersecurity program.

3.  Each company’s senior management must be responsible for its cybersecurity program and file an annual certification confirming compliance with the Cybersecurity Regulations.

What Does This Mean for Business?

The Cybersecurity Regulations that were released on September 13, 2016 are not finalized and are subject to revision though businesses should anticipate that they will be codified in substantially similar form as they are now and prepare accordingly.

Businesses that are within the scope of the NYDFS’ regulatory authority must begin preparing now so that they will be in compliance with the Cybersecurity Regulations by January 1, 2017, when the law goes into effect.

Non-NYDFS regulated businesses that do business with regulated entities and have access to or hold nonpublic information of covered entities or their information systems (third party service providers) will be subject to certain mandatory requirements to ensure the covered entities’ nonpublic information and information systems remain adequately protected. Covered entities will be required to develop preferred contract provisions for such third party service providers that permit the covered entity to assess their cybersecurity posture, require they implement specific cybersecurity measures to protect the nonpublic information and information systems, establish notification and remediation requirements in case of a cybersecurity incident, allocate who pays the costs for such an incident, and permit the covered entity to perform cybersecurity audits of the third party service provider. The substantive requirements of these contracts will have little room negotiation because they are being pushed down by the requirements of the law. Moreover, because these contractual protections are to protect the nonpublic information and information systems, they must flow along with such data and systems access and be pushed down to other contractors and subcontractors who have such access. Businesses that may find themselves in this situation need to have an adequate understanding of these requirements so that they can differentiate between those things the covered entity must do vis-à-vis those things it wishes to do when negotiating these contracts. They also need to begin preparing so that they will have appropriate cybersecurity measures in place to satisfy the requirements of the Cybersecurity Regulations that are passed along to them via contract.  

Please check back next week for the second post in this series for an in-depth examination of which entities are regulated by the New York Department of Financial Services. If you would like to read more about the Cybersecurity Regulations, Richard Santalesa has written an excellent overall summary, and the NYDFS has made available both an outline and full text of the Cybersecurity Regulations.