Governance, Risk and Compliance, Americas

DFS’s Cybersecurity Regulation: What Your Company Should Have Done

Organizations covered by New York’s Cybersecurity Regulation for Financial Service Companies must take stock of their compliance efforts before pushing deeper into 2019.

As we’ve previously blogged about, businesses covered by the cyber regulation must submit an annual compliance certificate for the prior year, affirming that all applicable requirements have been met by their deadlines. And DFS takes that requirement seriously, warning companies that it “expects full compliance with this regulation,” and that a “Covered Entity may not submit a certification” unless “the Covered Entity is in compliance with all applicable requirements of Part 500 at the time of certification.” The next compliance certificate is due on February 15, 2019, but because it covers the prior calendar year, now is the time to look back at your 2018 compliance efforts.

The 2018 requirements were a heavy lift, even for large companies, with mandates ranging from annual penetration testing to encryption. And those requirements are loaded with nuance and often keyed-off the organization’s periodic risk assessment. That assessment in turn required companies “to respond to technological developments and evolving threats” and to “consider the particular risks of the Covered Entity’s business operations related to cybersecurity.”

With those caveats in mind, here’s a quick rundown of 2018’s requirements:

  • CISO Report – the Chief Information Security Officer “shall report in writing at least annually” to the board of directors or equivalent governing body (500.4(b));
  • Penetration Testing and Vulnerability Assessments – annual penetration testing or continuous monitoring must conducted, together with bi-annual vulnerability assessments (500.05(a)-(b));
  • Audit Trails – covered organizations must maintain systems designed to “reconstruct material financial transactions sufficient to support normal operations” and audit trails designed to “detect and respond to Cybersecurity Events that have a reasonable likelihood of materially harming any material part of the normal operations” (500.06);
  • Application Security – companies must create “written procedures, guidelines and standards designed to ensure the use of secure development practices for in-house developed applications,” in addition to “procedures for evaluating, assessing or testing the security of externally developed applications” (500.08);
  • Risk Assessment – an essential aspect of the regulation is the periodic risk assessments, which must “inform the design of” a company’s cybersecurity program. There are specific and detailed requirements that guide an organization’s performance of the risk assessment process (500.09);
  • Multi-factor Authentication – effective controls, which “may include Multi-Factor Authentication or Risk-Based Authentication” must be employed “to protect against unauthorized access to nonpublic information or” an organization’s technology and IT environments (500.12);
  • Data Retention – policies and procedures are required for the “secure disposal on a periodic basis” of nonpublic information “no longer necessary for business operations or for other legitimate business purposes” (Section 500.13);
  • Training and Monitoring – risk-based policies, procedures and controls are required to monitor authorized users and to detect unauthorized access or tampering with nonpublic information. Regular (and updated) cybersecurity awareness training “for all personnel” is also required (Section 500.14(a)-(b)); and
  • Encryption – controls are required, including encryption, to protect nonpublic information in transit or at rest. If encryption is deemed “infeasible,” an organization may use “effective alternative compensating controls reviewed and approved” by the Chief Information Security Officer (Section 500.15).

One more caveat to keep in mind: The foregoing is only a thumbnail sketch of the cyber regulation’s 2018 requirements. Companies should carefully review the language of the regulation itself and seek counsel when necessary to better understand compliance obligations.

Over the coming months, we’ll do a deeper dive on the 2019 requirements, including the detailed requirements for third-party service providers and which “senior officer(s)” might be eligible to certify an organization’s compliance.

By Kade N. Olsen and Craig A. Newman of Patterson Belknap Webb & Tyler LLP, a law firm in New York that has a Privacy and Data Security Practice. Read more Patterson Belknap blogs here.