1/13/17 - New York Updates Proposal on Cybersecurity Regulations
Home > News & Insights > Insights & Publications

1/13/17 - New York Updates Proposal on Cybersecurity Regulations

The New York Department of Financial Services recently updated its proposed cybersecurity regulation for financial companies to incorporate comments received from stakeholders. Once finalized, this proposal will represent the most significant enforceable cybersecurity regulation by a state regulator. Stakeholders have until late January to comment on the updated proposal.

What Has Changed from the Initial Proposal

The updated proposal addresses many of the concerns raised by stakeholders, but it does not fundamentally alter the structure or issues outlined in the original proposal issued in September. (Click here for Promontory’s overview of the September version.)

  • Increases time for compliance: The updated proposal pushes the regulation’s effective date back three months, to March 1, 2017, and gives covered entities six months to come into compliance. However, covered entities would get more time to comply with certain requirements. For instance, covered entities would have one year to comply with requirements for reports to boards of directors, penetration testing and vulnerability assessments, risk assessment, multi-factor authentication, and cybersecurity awareness training. Covered entities would have 18 months to comply with requirements related to audit trails, application security, data retention, monitoring, and encryption of nonpublic information. Lastly, covered entities would have two years to comply with requirements related to third-party service provider cybersecurity policies and procedures.  
  • Clarifies definition of nonpublic information: The updated proposal clarifies the original definition of “nonpublic information” as any information used to seek a financial product or service. It also specifies that this information is limited to that which can identify an individual in combination with one or more of the following: Social Security number; drivers’ license number or non-driver identification card number; account number, credit, or debit card number; any security code, access code, or password that would permit access to an individual’s financial account; or biometric records.
  • Allows for outsourcing or affiliate arrangements to satisfy requirements: The updated proposal allows firms to satisfy the requirements related to implementing a cybersecurity program or having a chief information security officer through an outsourcing arrangement or an affiliate.
  • Requires asset inventory and device management in cybersecurity policy: The updated proposal adds a requirement that a covered firm’s cybersecurity policy include an asset inventory and device management. It removes a requirement that capacity and performance planning be included.
  • Decreases frequency for board reporting: The updated proposal requires annual reporting to the board of directors or equivalent governing body in writing. It provides flexibility for the covered entity to determine what to include in this reporting. The September version would have required biannual reporting.
  • Increases flexibility in implementing controls: The updated proposal makes it easier for firms to implement penetration testing, vulnerability assessments, multi-factor authentication, and encryption. The updated proposal would require a firm to consider these measures, but would allow the firm to satisfy such requirements by using compensating controls. Further, the updated proposal specifically states that covered entities must implement continuous monitoring or penetration testing and vulnerability assessments. In addition, the vulnerability assessment frequency requirement decreased from quarterly to biannual assessments based on risk.
  • Provides explicit coverage for privacy of information reported to NYDFS: The updated proposal states that information shared by firms with NYDFS as part of the requirements would be exempt from NYDFS’ disclosure of information requirements.
  • Limits exception for third-party service provider security policy: The updated proposal would not require a covered entity to implement the third-party service provider security policy requirements for those third parties that are also considered to be covered entities under this regulation.

How Promontory Can Help

Promontory's team specializing in information and technology risk has extensive experience helping clients understand emerging regulatory expectations in this complex area, as well as practical experience of designing, delivering, and documenting programs that meet and exceed those expectations. Our professionals have served as leaders at regulatory agencies, Wall Street firms, and Fortune 100 corporations in the financial services sector and provide unique perspectives gained from seeing policy both as it is crafted and as it is implemented. We have a particular skill at communicating the effectiveness of cybersecurity programs to regulators, including their associated target states, roadmaps, and governance.

We help clients by:

  • Reviewing their end-to-end cyber programs against regulatory expectations to provide gap analyses and recommend practical enhancements
  • Providing an outside-in assessment “through the regulators eyes” to help identify potential risk hotspots that should be addressed before regulatory examination
  • Assessing the governance and organization of cyber/information and technology risk programs
  • Conducting deep-dive assessment and enhancement work on particular aspects of information and technology risk management frameworks, for example by assisting with the definition, documentation, and enhancement of incident management frameworks

Contact Us

Simon McDougall
Managing Director
smcdougall@promontory.com
+44 207 997 3456

Judith Pinto
Director
jpinto@promontory.com
+1 212 542 6798