Today, the New York Department of Financial Services (DFS) released a revised version of the proposed cybersecurity regulations that it first issued in September. According to a press release issued by DFS Superintendent Vullo, the new version of the proposed rules will be finalized following a 30-day notice and public comment period.
Among the most notable changes are an extension of the effective date to March 1, 2017, an array of longer transition periods for various sections of the regulation, increased emphasis on risk assessment, and a slight reduction in the extremely broad scope of the term “Nonpublic Information” from the previous draft. Below is a description of these notable changes. Of course, it is recommended that organizations that expect to be required to comply with the rules read the entire revised version.
- Effective Date: The effective date of the proposed rules will be March 1, 2017 rather than January 1, 2017, and the first certification of compliance is due to the Superintendent on February 15, 2018.
- Expanded Transitional Periods: Previously, Covered Entities were granted only 180 days from the effective date to comply with the rules. In the revised proposed rules, Covered Entities will also have:
- One year from the effective date to comply with provisions concerning reports from the CISO to the board of directors (500.04(b)), penetration testing and vulnerability assessments (500.05), Risk Assessments (500.09), Multi-Factor Authentication (500.12), and cybersecurity awareness training for all personnel (500.14(a)(2));
- Eighteen months from the effective date to comply with provisions concerning audit trails (500.06), application security (500.08), limitations on data retention (500.13), monitoring the activity of Authorized Users (500.14(a)(1)), and encryption of Nonpublic Information (500.15); and
- Two years from the effective date to comply with the section concerning Third Party Service Provider Security Policies (500.11).
These expanded transitional periods effectively extend the compliance deadline for much of the proposed rules by a year or more.
- Nonpublic Information: Whereas the original proposed rules included in the definition of Nonpublic Information “any information that can be used to distinguish or trace an individual’s identity,” the revised version combines that language with another provision concerning customer information.
The new (combined) definition includes the following provision: “Any information concerning an individual which because of name, number, personal mark, or other identifier can be used to identify such individual, in combination with any one or more of the following data elements: (i) social security number, (ii) drivers’ license number or non-driver identification card number, (iii) account number, credit or debit card number, (iv) any security code, access code or password that would permit access to an individual’s financial account; or (v) biometric records.”
- Penetration Testing and Vulnerability Assessment: Instead of mandating penetration testing and vulnerability assessments at fixed intervals in all instances, the revised rules require an entity to “include monitoring and testing, developed in accordance with the Covered Entity’s Risk Assessment, designed to assess the effectiveness of the Covered Entity’s cybersecurity program.” This monitoring and testing must include either (i) continuous monitoring or (ii) periodic penetration testing and vulnerability assessments, with the latter being mandated at fixed intervals if the Covered Entity has not implemented “effective continuous monitoring, or other systems to detect, on an ongoing bases, changes in Information Systems that may create or indicate vulnerabilities.” If required, vulnerability assessments would be required on a bi-annual basis instead of quarterly.
- Multi-Factor Authentication: Whereas the previous version of the proposed rules required that Multi-Factor Authentication and Risk-Based Authentication be used in various circumstances, the revised version would only mandate the use of Multi-Factor Authentication (or reasonably equivalent controls) for any access to the Covered Entity’s internal networks from an external network. Instead of mandating other specific use cases for Multi-Factor Authentication and Risk-Based Authentication, it now requires Covered Entities to “use effective controls . . . to protect against unauthorized access to Nonpublic Information or Information Systems” based on their Risk Assessment, which may include Multi-Factor Authentication and Risk-Based Authentication.
- Breach Notification: Although seemingly minor, the revised version of the proposed rules importantly requires notification to the Superintendent of “Cybersecurity Events that have a reasonable likelihood of materially harming any material part of the normal operation(s) of the Covered Entity.” Previously, this provision required notification to the superintendent of Cybersecurity Events that had a “reasonable likelihood of materially affecting the normal operation of the Covered Entity.”