Minimum protection standards are required for financial and insurance businesses licensed or required to be licensed in New York, even if the company HQ is located elsewhere.
The New York State Department of Financial Services has enacted wide-sweeping cybersecurity regulations which set forth minimum standards for protecting information systems. These regulations are geared toward financial institutions and insurance providers, but if your business is licensed (or required to be licensed) in New York this new cybersecurity law may have ramifications for your business.
The New York regulation, 23 NYCRR 500, affects not only entities incorporated or physically located in New York, but any entity “operating under a license, registration, permit, charter, certificate, accreditation, or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.” Businesses required to abide by the new regulations must comply before August 28, 2017. Businesses that would otherwise be subject to the new regulations but fit within one of the limited exemptions must file a notice of exemption before September 27, 2017.
Unlike the majority of state regulations that require businesses to engage in certain actions to mitigate damage after a data breach or cybersecurity attack, the New York regulation requires certain businesses to take extensive preventative measures. Here is a brief review of some of the key requirements imposed by the New York state regulations for a business licensed in New York:
1. Policy: Affected businesses must create and enforce written cybersecurity policies approved by the company’s senior officer, board of directors, or equivalent governing body. These policies must address fourteen categories that focus on prevention, mitigation, and recovery.
2. CISO: Affected entities must designate a Chief Information Security Officer (“CISO”) responsible for enforcing cybersecurity policies. Though an employee can serve as a CISO, businesses may hire qualified individuals working for affiliates or third party servicers to serve as the CISO. The CISO must submit annual reports to the board of directors or its equivalent regarding the status of the cybersecurity program and any known threats.
3. Testing: Affected entities must undergo monitoring and testing as a part of their cybersecurity programs.
4. Personnel: Affected entities must employ trained cybersecurity personnel, either as an employee or through a third party, to apprise the affected entity of new threats and address flaws in the cybersecurity program.
5. Third Parties: Affected entities must ensure any non-public information transacted with or accessible to third parties remains adequately protected. To that end, affected entities must develop written policies designed for third party interaction that set forth minimum cybersecurity criteria that third parties must maintain in order for the affected entity to do business with such third-party. Affected entities must also perform due diligence to assess the cybersecurity practices of third parties.
The New York regulation also lays out requirements involving data retention, multi-factor authentication, confidentiality, and notices required in the event of a breach. The law contains a number of partial exemptions for certain businesses, and not all businesses are subject to the new regulation. However, if you do business with any business licensed in New York, it is possible you will be affected by these regulations and should ensure your cybersecurity plan will not preclude you from continuing or adding business relationships with entities covered under the new regulations.
Further, New York is likely the first domino to fall as many states are expected to pass extensive cybersecurity regulations focusing on prevention in addition to the already existing regulations that emphasize notice and post-cybersecurity breach actions. The New York Department of Financial Services has published an FAQ page in relation to 23 NYCRR 500, available here.
Woods Rogers’ Cybersecurity team has designed a plan to address these new regulations and others like them to bring your business into compliance. Contact us for more information or for further legal assistance in your cyber protection efforts.