The latest salvo in the cyber-security regulatory wars is the recently issued New York state Department of Financial Services Cybersecurity Rule. The far-reaching rule technically applies to every individual and entity operating in New York under the banking, insurance or financial services laws.

According to regulators, the rule is intended to catalyze a fundamental change in how the financial services sector considers and approaches cyber security. The regulation took effect March 1, although you need not be in compliance until August 28. And requisite compliance with many of the more technical requirements is delayed until 2018 or beyond.

The initial proposed rule was widely criticized both because it purported to apply to individuals and firms outside of New York and because it was overly prescriptive and at odds with federal and other widely accepted protocols. Although the final rule remains highly prescriptive for those subject to the full thrust of its requirements, the list of regulatory exemptions was expanded, so the regulatory burden for many is drastically minimized.

Most significantly for us, a “small business” exemption was modified to cover any firm whose New York-specific business is more limited. Any firm (including its affiliates) that has at least one of the following characteristics is considered a small New York business:

  • Fewer than 10 employees (including independent contractors) in New York
  • Less than $5 million in gross annual revenue in each of the last three fiscal years from New York business operations
  • Less than $10 million in year-end total assets.

Firms that fall within this category qualify for an exemption from many of the rule’s requirements, provided the firm files a prescribed Notice of Exemption with NYDFS within 30 days of determining it is eligible.

Licensed agents and brokers with firms that either are in compliance with the rule or qualify for a firm-level exemption are separately exempt from having any individual compliance obligations. The Notice of Exemption filing requirement, however, appears to apply to individual licensees. We have asked the department to clarify if this is not the case, as it would result in the submission of tens of thousands of notices from individual licensees. We have received no response to that request.

By August 28, all agencies and brokerages licensed in New York—including those that qualify for the small-business exemptions—will be required to:

  • Develop a cyber-security program based on a risk assessment that is designed to ensure the confidentiality and integrity of information systems, detect cyber events—any attempts (successful or unsuccessful) to gain unauthorized access or disrupt a system—and respond to, mitigate and recover from those events
  • Develop a written cyber-security policy approved by a senior officer or board of directors that sets forth the firm’s policies and procedures to protect information
  • Conduct periodic risk assessments to identify points of weakness in their information systems and inform the design of a cyber-security program by March 1, 2018
  • Implement by March 1, 2019, policies and procedures applicable to third-party vendors that have access to the firm’s secure network and non-public information
  • Provide proper notices to regulators within 72 hours of a cyber-security event that has a reasonable likelihood of materially affecting the firm’s normal operations and provide a written certificate certifying that the company is in compliance with the rule by February 15 of each year.

Firms that do not qualify for the New York small business (or another) exemption must do the following:

  • Appoint a chief information security officer to implement the cyber-security program and oversee qualified cyber-security personnel
  • Test the program’s penetration and vulnerability capacity by March 1, 2018
  • Maintain an audit trail for all cyber-security activity by Sept. 1, 2018
  • Implement risk-based controls to monitor user access by Sept. 1, 2018
  • Implement multifactor authentication procedures for user access by March 1, 2018
  • Encrypt non-public information by Sept. 1, 2018
  • Create a written incident response plan for any material cyber-security event
  • Ensure by March 1, 2018, employees engage in regular cyber-security awareness training
  • Establish procedures by Sept. 1, 2018, for ensuring in-house developed application security.

This list is heavy with technical requirements designed to maximize a firm’s cyber security. With regard to app security, for example, companies not only have to ensure they employ secure development practices for their own applications but must also have procedures for evaluating and accessing the security of externally developed applications.

And to prevent unauthorized access to non-public information or information systems, firms must utilize specific multifactor techniques or reasonably equivalent alternatives.

There is a lot to be done. Now the question is, will your firm be ready?

Sinder is The Council’s chief legal officer. ssinder@steptoe.com
Fielding is CIAB general counsel. john.fielding@ciab.com
Rigamonti is a Steptoe associate. erigamonti@steptoe.com