Craig A. Newman, partner at Patterson Belknap wrote: "By today, financial institutions are required to meet their next deadline for compliance with New York’s cybersecurity law. The regulation – enacted in March 2017 –includes a series of rolling deadlines that require banks and insurance companies covered by the law to meet varying data security requirements.
"Today’s deadline requires companies to meet five new milestones, mostly technical in nature. Earlier requirements from the New York State Department of Financial Services or DFS cybersecurity regulation focused on developing and implementing written cybersecurity policies and procedures.
"Yet, the most difficult requirement for most companies is still six months away. By March 1, 2019, businesses are required to get their third-party vendors in line by adopting policies and procedures that govern the way these outsiders access the company’s network and its most sensitive information.
"By any measure, the third-party requirement will be a heavy lift. Most firms use more than a handful of vendors ranging from outsourcing firms to accounting and law firms.
"For larger organizations, this requirement could mean putting hundreds – perhaps even thousands – of vendors through their paces to ensure that they have adequate cyber safeguards in place by early next year.
"And the third-party rules aren’t “check-the- box” requirements. DFS has already made clear that it expects companies to perform ongoing diligence to ensure that its vendors are practicing good data security hygiene. Firms “must assess the risks each … [p]rovider poses to their data and systems and effectively address those risks. The Department has provided a two year transitional period to address these risks and expects … a thorough due diligence process….” We’ll do a deeper dive into this new requirement in the coming months.
"The third-parties requirement should not come as a surprise. Several of the largest reported breaches in the U.S. were facilitated by inept safeguards covering a company’s third-party vendors. In fact, an April 2015 report by DFS found that only 46% of institutions which participated in a survey conducted “pre-contract on-site assessments of at least high-risk third party vendors.”
"And 44% of those institutions did not require third-party vendors to guarantee that their data and products were free of viruses. Similarly, only half of the surveyed institutions required indemnification clauses for information security failures in their agreements with third-party vendors. Those statistics are likely to change dramatically after March 1st.
Here’s a quick breakdown of today’s requirements:
· Maintain Audit Trails. This two-fold requirements means that financial firms must maintain systems “designed to reconstruct material financial transactions sufficient to support normal operations and obligations” and “include audit trails designed to detect and respond to cybersecurity events that have a reasonable likelihood of materially harming any material part of the normal operations…” The financial trails must be kept for five years and cyber trails for three years.
· Encryption. By far, the most demanding requirement is encryption. Companies are required to encrypt nonpublic information unless it’s determined that doing so is “infeasible.” Encrypting information that’s backed up to a storage center or in the cloud is relatively easy in many cases, but encrypting data on a network – especially at the folder or file level – often makes it more difficult to do business on a day-to-day business. Companies will need to focus on their unique risks and use appropriate safeguards to manage them.
· Watching Network Users. Companies must also keep a watchful eye on its authorized computer users and put in place “policies, procedures and controls designed to monitor” their activity and detect unauthorized activity or access. [part of this means security awareness training]
· Data Retention Limits. Information should only be kept as “necessary for business operations or for other legitimate business purposes….” Of course, if the information must be kept on hand because of a law or regulation, firms are permitted to do so. The same is the case when getting rid of stale information “is not reasonably feasible due to the manner in which the information is maintained.”
· Application Security Procedures. For internally developed applications, companies must adopt “written procedures, guidelines and standards designed to ensure the use of secure development practices.” And for externally developed or off-the-shelf applications, procedures must be in place “for evaluating, assessing or testing the security” of those applications.
"Keep watching this space for future DFS cyber regulation developments. In the meantime, a handy resource guide is the agency’s “Frequently Asked Questions” which can be found here. Cross-posted with grateful acknowledgement to Patterson Belknap.