Hogan Lovells 2024 Election Impact and Congressional Outlook Report
As a follow-up to our previous reports (December 30, 2016 Alert; February 24, 2017 Alert) regarding the cybersecurity regulations issued by the New York State Department of Financial Services (NYDFS), we would like to remind covered entities that the first of several implementation deadlines is this month, on August 28, 2017. To help you prepare, we are providing here an overview of the August 28, 2017 implementation requirements for covered entities.
In addition to this overview, covered entities may also turn to the NYDFS’ Frequently Asked Questions Regarding 23 NYCRR Part 500 as a helpful resource in preparing for implementation.
August 28, 2017 Implementation Requirements Overview
Keep in mind that your policy or policies must apply specifically to your entity and cover the following topics, as relevant to your organization:
Information security
Data governance and classification
Asset inventory and device management
Access controls and identity management
Business continuity and disaster recovery planning and resources
Systems operations and availability concerns
Systems and network security and monitoring
Physical security and environmental controls
Customer data privacy
Incident response
Although the below are also required to be part of your entity’s Cybersecurity Policy/Policies, the timeline for compliance related to certain parts of the below extends beyond August 28. If you have not completed the steps required by the sections listed below, your policies must be updated as these dates approach to ensure relevant sections have been added:
Risk assessment – Risk Assessment transitional period ends March 1, 2018
Systems and application development and quality assurance – Application Security transitional period ends September 1, 2018
Vendor and third party service provider management – Third-Party Service Provider Security Policy transitional period ends March 1, 2019
As part of the Cybersecurity Program, your entity must limit access users have to systems containing nonpublic information [1]. Consider your company’s information systems and determine who needs access to what, realizing that different jobs require access to different information. Work with your systems administrators to tailor individuals’ and department access accordingly. And, importantly, document these decisions and the reasoning behind them.
This individual must be qualified and responsible for the oversight and implementation of the Cybersecurity Program, including annual reports to the Board regarding your organization’s program and risks. If your company is unable to employ or identify an individual within your organization to fulfill this requirement, keep in mind that – with proper oversight as outlined in the NYDFS rule – your entity’s CISO may be employed by an affiliate or a third party service provider.
The NYDFS expects covered institutions to utilize qualified personnel to manage and oversee the core cybersecurity functions specified in the regulations. These individuals must also be provided with training and updates to address relevant cybersecurity risks and your organization must verify that key personnel proactively work to keep their knowledge of cybersecurity risks current with the changing threats and countermeasures.
A sufficient incident response plan must, at minimum, be in writing and dictate how the organization will “respond to, and recover from” an incident (as that term is described in the regulations). This written plan must provide the following for your organization:
The internal process your organization will use to respond to cybersecurity events
Goals of your organization’s Incident Response Plan
Definitions of clear roles, responsibilities, and decision-making authority if and when your organization faces an Incident
External and internal communications and information sharing
Identification of requirements for the remediation of any identified weaknesses in information systems and associated controls
Documentation and reporting regarding cybersecurity events and related incident response activities; and
The evaluation and revision as necessary of the incident response plan following a cybersecurity event.
The NYDFS requires all covered entities that, as of August 28, 2017, qualify for an exemption under 23 NYCRR 500.19(a)-(d) to file a Notice of Exemption with the NYDFS prior to September 27, 2017. Details about the remaining implementation deadlines may be found in our previous alert.
Authored by Harriet Pearson and Ashley Hutto-Schultz