New York was concerned that companies with sensitive data, such as people’s banking information, social security numbers and other financial records could be unlawfully accessed by hackers (other nations, individuals, companies). The New York Department of Financial Services (“DFS”) has promulgated regulations entitled the “Cybersecurity Requirements for Financial Services Companies” which can be found at 23 NYCRR 500.
The regulation applies to “Covered Entities” which means any person or individual holding a permit or license or otherwise authorized to operate under the New York Banking Law, the Insurance Law or the Financial Services Law. Subject to certain exemptions, discussed briefly below, Covered Entities have to have a Cybersecurity Program, based on a risk assessment that the Covered Entity has to perform, that fulfills the following:
(1) identify and assess internal and external cybersecurity risks that may threaten the security or integrity of Nonpublic Information stored on the Covered Entity’s Information Systems;
(2) use defensive infrastructure and the implementation of policies and procedures to protect the Covered Entity’s Information Systems, and the Nonpublic Information stored on those Information Systems, from unauthorized access, use or other malicious acts;
(3) detect Cybersecurity Events;
(4) respond to identified or detected Cybersecurity Events to mitigate any negative effects;
(5) recover from Cybersecurity Events and restore normal operations and services; and
(6) fulfill applicable regulatory reporting obligations.
Additionally, each Covered Entity, unless exempt, has to appoint a Chief Information Security Officer, and adopt a Cybersecurity Policy, addressing the following:
(a) information security;
(b) data governance and classification;
(c) asset inventory and device management;
(d) access controls and identity management;
(e) business continuity and disaster recovery planning and resources;
(f) systems operations and availability concerns;
(g) systems and network security;
(h) systems and network monitoring;
(i) systems and application development and quality assurance;
(j) physical security and environmental controls;
(k) customer data privacy;
(l) vendor and Third Party Service Provider management;
(m) risk assessment; and
(n) incident response.
The regulation also requires other items, such as regular reporting to the DFS, training, confidentiality, encryption and other items.
A Covered Entity may be exempt from some but not all of the requirements of the regulation. Notably, those with fewer than 10 employees (or contractors), or less than $5,000,000 in gross annual revenue in last three year, or less than $10,000,000 in year end total assets (calculated as per GAAP) are exempt from some of the onerous items. Similarly, those that don’t hold any important information and those that are only a related, subsidiary or affiliated persons or entities (that are Covered Entities themselves) that are part of or connected to a Covered Entity that is fulfilling its obligations under the regulation are exempt from other portions of the regulation. New York State DFS provided helpful charts in its FAQ for the regulation available here.