New York State Implements Comprehensive New Cybersecurity Regulation

March 2, 2017

Effective March 1, 2017, New York State implemented a comprehensive new cybersecurity regulation.  While it does not apply to all investment advisers, it may impact advisers affiliated with banks and other financial institutions regulated by New York State.

The regulation was initially introduced on September 13, 2016, and later revised in response to public comments.  After the March 1, 2017 effective date it contains various deadlines between 180 days to up to two years for compliance. The regulation requires banks, insurers and other financial services companies regulated by NYS's Department of Financial Services ("DFS") to set up cybersecurity programs to protect consumer information from cyberattacks. In finalizing the regulation, the DFS took into account the large number of public comments it received after it proposed the regulation in September. A broad variety of commenters expressed concerned about the regulation's “one-size-fits-all” approach, and the technical and financial burdens the proposed regulation would have imposed on small businesses, particularly with respect to reporting and encryption requirements. As finalized, the regulation is designed to offer more flexibility to regulated businesses, with many of its requirements based on the covered entity’s own assessment of the areas in which it is most vulnerable.

In summary, as noted in the NYS press release,  "The final risk-based regulation includes certain regulatory minimum standards while encouraging firms to keep pace with technological advances. The new regulation provides important protections to prevent and avoid cyber breaches, including:

  •     Controls relating to the governance framework for a robust cybersecurity program including requirements for a program that is adequately funded and staffed, overseen by qualified management, and reported on periodically to the most  senior governing body of the organization;
  •     Risk-based minimum standards for technology systems including access controls, data protection including encryption, and penetration testing;
  •     Required minimum standards to help address any cyber breaches including an incident response plan, preservation of data to respond to such breaches, and notice to DFS of material events; and
  •     Accountability by requiring identification and documentation of material deficiencies, remediation plans and annual certifications of regulatory compliance to DFS."

The regulation takes a risk based approach to 14 required elements under Section 500.03:

  1. Information security
  2. Data governance and classification
  3. Asset inventory and device management
  4. Access controls and identity management
  5. Business continuity and disaster recovery planning and resources
  6. Systems operations and availability
  7. Systems and network security
  8. Systems and network monitoring
  9. Systems and application development with quality assurance
  10. Physical security and environmental controls
  11. Customer data security and privacy
  12. Vendor and third party service provider management and oversight
  13. Risk assessment
  14. Incident response

Practical implications:  Look carefully whether your adviser is covered.  E.g., an adviser that is a subsidiary of a bank or insurance company is likely covered if the parent is licensed by the NYS DFS.   Also, examine the variety of exemptions to see if your firm qualifies.   Even for those firms not directly impacted, the regulation provides additional guidance on cybersecurity best practices and implementation of appropriate policies and procedures.

Sources: 

Posted:  3/2/17; updated:  4/5/17 by Karl Hartmann