The Extensive Reach of New York’s Proposed Cybersecurity Regulations: Vendor Contracting to Mergers and Acquisitions to Incident Response and Beyond
The New York Division of Financial Services (NYDFS) issued the most comprehensive cybersecurity regulations in the nation on September 13, 2016. A 45-day comment period commenced on September 28 when the regulations were published in the New York State Register, and they will go into effect on January 1, 2017. These regulations will require sea-changes in safeguards for information held by covered entities; due diligence and representations and warranties of compliance for affected institutions in mergers or acquisitions; and documentation and evidence of controls for information encryption, access and breach response. The time window for compliance is very narrow, only six weeks from the end of the comment period to the effective date. Covered entities should begin their compliance initiatives now.
These regulations affect all entities under the jurisdiction of NYDFS, including banks (New York branches of foreign banks are affected), myriad other “registered financial institutions,” lenders, credit unions, mortgage brokers, insurance carriers (including health plans) and brokers and charitable foundations.
The regulations are highly specific requiring, among other things, a written cybersecurity program and policy with detailed cybersecurity procedures; specific access privilege controls; annual penetration testing; encryption of “non-public information” held by the entity at rest and in transit; a written incident response plan that meets seven specified criteria; implementation training; and certification of compliance annually, including efforts to remediate any deficiencies.
Contracts with vendors, under the regulations, must include provisions (similar to the Business Associate Agreements organizations execute with HIPAA Covered entities), in which the vendors agree to meet such provisions in the regulations as encryption in transit and at rest and the right of the entity or its agent to audit the third-party service provider. This will lead to an increase in the occurrence of audits of service providers ranging from IT consultants to accountants to law firms.
Acquirers will, after January 1, undoubtedly add questions about compliance with these very specific information safeguard provisions in due diligence questionnaires; and target companies will include compliance in their representations and warranties.
Data breaches were clearly on the minds of the drafters. Notification to NYDFS is required within 72 hours of “becoming aware of a Cybersecurity Incident,” one of the shortest notification periods in the U.S. Covered entities must have a written process in place to “respond to Cybersecurity Incidents and minimize negative effects.” A “Cybersecurity Event” is defined as an incident that “has a reasonable likelihood of materially affecting the normal operation of the Covered Entity or that affects nonpublic information.” Notice within 72 hours is also required whenever the entity has “identified any material risk of imminent harm to its cybersecurity program.” This may comprise malware of many varieties and may, accordingly, require active malware detection. Must one report all such malware? This is not yet clear.
It is clear, though, that a great deal of process work, policy drafting, workforce training and process testing is required in a very short period of time. If you have questions regarding the scope of required compliance initiatives and documentation, or questions about enforcement of these regulations, please contact Kenneth N. Rashbaum.