Once again, March 1st nears. And with it comes a cybersecurity compliance milestone for those entities operating under New York’s insurance, finance and banking laws. This date now looms large thanks to the New York State Department of Financial Services (“DFS”) and its Cybersecurity Regulation (“Regulation”) first put into effect on March 1, 2017. Let’s breakdown what this means.
“Covered Entities” under the Regulation, includes those entities that are operating or are required to operate under the New York insurance, finance and banking laws.
The next compliance milestone pertains to putting in place policies for Third Party Service Providers. The policies and procedures need to address the security of vendors who are accessing a Covered Entity’s systems or “non-public information” as addressed under the Regulation.
The policies shall be based upon a risk assessment and address, to the extent applicable:
1. The identification and risk assessment of Third-Party Service Providers (as defined under the Regulation);
2. Minimum cybersecurity practices required to be met by such Third-Party Service Providers in order for them to do business with the Covered Entity;
3. Due diligence processes used to evaluate the adequacy of cybersecurity practices of such Third-Party Service Providers; and
4. Periodic assessment of such Third-Party Service Providers based on the risk they present and the continued adequacy of their cybersecurity practices.
Such policies and procedures shall include relevant guidelines for due diligence and/or contractual protections relating to Third-Party Service Providers including to the extent applicable guidelines addressing:
1. The Third-Party Service Provider’s policies and procedures for access controls, including its use of Multi-Factor Authentication, as required by section 500.12, to limit access to relevant Information Systems and Nonpublic Information;
2. The Third-Party Service Provider’s policies and procedures for use of encryption as required by section 500.15 of this Part to protect Nonpublic Information in transit and at rest;
3. Notice to be provided to the Covered Entity in the event of a Cybersecurity Event directly impacting the Covered Entity’s Information Systems or the Covered Entity’s Nonpublic Information being held by the Third-Party Service Provider; and
4. Representations and warranties addressing the Third-Party Service Provider’s cybersecurity policies and procedures that relate to the security of the Covered Entity’s Information Systems or Nonpublic Information.
Note, the DFS has advised that it is insufficient to rely solely on the Certification of Compliance submitted by the Third-Party Service Providers to the DFS under the Regulation as their only means of evaluating their compliance with this milestone.
There have been a number of milestones for Covered Entities to address since the Regulation went into effect on March 1, 2017.
The process of developing and implementing Third Party Service Provider policies can be cumbersome and time-consuming given to the complexity of the relationships your company may have with a variety of Third-Party Service Providers.
Begin as soon as possible, as there are often several components to the analysis and March 1, 2019 is nearing.
Because the DFS Regulation says so.
The contents of the Regulation,23 NYCRR Part 500, can be found here: https://www.dfs.ny.gov/legal/regulations/adoptions/dfsrf500txt.pdf.
How (to take Next Steps)?
Consult legal counsel to confirm whether your policies comply with the Regulation and other applicable laws.
The attorneys at Beckage PLLC can help you navigate through policy drafting the Third-Party Service Provider risk assessment and other regulatory compliance matters by offering practical legal advice that will help arm your company with the knowledge to assist in making sound business decisions.
DISCLAIMER: This alert is for general information purposes only. It does not constitute legal advice, or the formation of an attorney-client relationship, and may not be used and relied upon as a substitute for legal advice regarding a specific issue or problem. Advice should be obtained from a qualified attorney or practitioner licensed to practice in the jurisdiction where that advice is sought. If you have any questions, please contact an attorney at Beckage: www.beckage.com or email@example.com.
Attorney Advertising: Prior results do not guarantee a similar outcome.