As a follow-up to our previous reports (December 30, 2016 Alert; February 24, 2017 Alert) regarding the cybersecurity regulations issued by the New York State Department of Financial Services (NYDFS), we would like to remind covered entities that the first of several implementation deadlines is this month, on August 28, 2017. To help you prepare, we are providing here an overview of the August 28, 2017 implementation requirements for covered entities.
In addition to this overview, covered entities may also turn to the NYDFS’ Frequently Asked Questions Regarding 23 NYCRR Part 500 as a helpful resource in preparing for implementation.
August 28, 2017 Implementation Requirements Overview
Creation and Implementation of Board or Senior Officer-approved Cybersecurity Policy/Policies
Keep in mind that your policy or policies must apply specifically to your entity and cover the following topics, as relevant to your organization:
- Information security
- Data governance and classification
- Asset inventory and device management
- Access controls and identity management
- Business continuity and disaster recovery planning and resources
- Systems operations and availability concerns
- Systems and network security and monitoring
- Physical security and environmental controls
- Customer data privacy
- Incident response
Although the below are also required to be part of your entity’s Cybersecurity Policy/Policies, the timeline for compliance related to certain parts of the below extends beyond August 28. If you have not completed the steps required by the sections listed below, your policies must be updated as these dates approach to ensure relevant sections have been added:
- Risk assessment – Risk Assessment transitional period ends March 1, 2018
- Systems and application development and quality assurance – Application Security transitional period ends September 1, 2018
- Vendor and third party service provider management – Third-Party Service Provider Security Policy transitional period ends March 1, 2019
Limitation of User Access Privileges
As part of the Cybersecurity Program, your entity must limit access users have to systems containing nonpublic information . Consider your company’s information systems and determine who needs access to what, realizing that different jobs require access to different information. Work with your systems administrators to tailor individuals’ and department access accordingly. And, importantly, document these decisions and the reasoning behind them.
Designation of a Chief Information Security Officer (CISO)
This individual must be qualified and responsible for the oversight and implementation of the Cybersecurity Program, including annual reports to the Board regarding your organization’s program and risks. If your company is unable to employ or identify an individual within your organization to fulfill this requirement, keep in mind that – with proper oversight as outlined in the NYDFS rule – your entity’s CISO may be employed by an affiliate or a third party service provider.
Utilization of Cybersecurity Personnel and Intelligence
The NYDFS expects covered institutions to utilize qualified personnel to manage and oversee the core cybersecurity functions specified in the regulations. These individuals must also be provided with training and updates to address relevant cybersecurity risks and your organization must verify that key personnel proactively work to keep their knowledge of cybersecurity risks current with the changing threats and countermeasures.
Written Incident Response Plan
A sufficient incident response plan must, at minimum, be in writing and dictate how the organization will “respond to, and recover from” an incident (as that term is described in the regulations). This written plan must provide the following for your organization:
- The internal process your organization will use to respond to cybersecurity events
- Goals of your organization’s Incident Response Plan
- Definitions of clear roles, responsibilities, and decision-making authority if and when your organization faces an Incident
- External and internal communications and information sharing
- Identification of requirements for the remediation of any identified weaknesses in information systems and associated controls
- Documentation and reporting regarding cybersecurity events and related incident response activities; and
- The evaluation and revision as necessary of the incident response plan following a cybersecurity event.
The NYDFS requires all covered entities that, as of August 28, 2017, qualify for an exemption under 23 NYCRR 500.19(a)-(d) to file a Notice of Exemption with the NYDFS prior to September 27, 2017. Details about the remaining implementation deadlines may be found in our previous alert.
 The term “nonpublic information” is defined as “all electronic information that is not Publicly Available Information and is: (1) Business related information of a Covered Entity the tampering with which, or unauthorized disclosure, access or use of which, would cause a material adverse impact to the business, operations or security of the Covered Entity; (2) Any information concerning an individual which because of name, number, personal mark, or other identifier can be used to identify such individual, in combination with any one or more of the following data elements: (i) social security number, (ii) drivers’ license number or non-driver identification card number, (iii) account number, credit or debit card number, (iv) any security code, access code or password that would permit access to an individual’s financial account, or (v) biometric records; (3) Any information or data, except age or gender, in any form or medium created by or derived from a health care provider or an individual and that relates to (i) the past, present or future physical, mental or behavioral health or condition of any individual or a member of the individual’s family, (ii) the provision of health care to any individual, or (iii) payment for the provision of health care to any individual.