In the fast-paced, ever-evolving world of privacy and cybersecurity law, gathering the biggest news from 2019 was no small feat – from new laws and landmark cases, to major technological developments and international guidelines, it was a busy year for anyone trying to stay up to date. But Beckage has narrowed down the top privacy and cybersecurity stories that shaped last year:
Once again, March 1st nears. And with it comes a cybersecurity compliance milestone for those entities operating under New York’s insurance, finance and banking laws. This date now looms large thanks to the New York State Department of Financial Services (“DFS”) and its Cybersecurity Regulation (“Regulation”) first put into effect on March 1, 2017. Let’s breakdown what this means.
“Covered Entities” under the Regulation, includes those entities that are operating or are required to operate under the New York insurance, finance and banking laws.
The next compliance milestone pertains to putting in place policies for Third Party Service Providers. The policies and procedures need to address the security of vendors who are accessing a Covered Entity’s systems or “non-public information” as addressed under the Regulation.
The policies shall be based upon a risk assessment and address, to the extent applicable:
1. The identification and risk assessment of Third-Party Service Providers (as defined under the Regulation);
2. Minimum cybersecurity practices required to be met by such Third-Party Service Providers in order for them to do business with the Covered Entity;
3. Due diligence processes used to evaluate the adequacy of cybersecurity practices of such Third-Party Service Providers; and
4. Periodic assessment of such Third-Party Service Providers based on the risk they present and the continued adequacy of their cybersecurity practices.
Such policies and procedures shall include relevant guidelines for due diligence and/or contractual protections relating to Third-Party Service Providers including to the extent applicable guidelines addressing:
1. The Third-Party Service Provider’s policies and procedures for access controls, including its use of Multi-Factor Authentication, as required by section 500.12, to limit access to relevant Information Systems and Nonpublic Information;
2. The Third-Party Service Provider’s policies and procedures for use of encryption as required by section 500.15 of this Part to protect Nonpublic Information in transit and at rest;
3. Notice to be provided to the Covered Entity in the event of a Cybersecurity Event directly impacting the Covered Entity’s Information Systems or the Covered Entity’s Nonpublic Information being held by the Third-Party Service Provider; and
4. Representations and warranties addressing the Third-Party Service Provider’s cybersecurity policies and procedures that relate to the security of the Covered Entity’s Information Systems or Nonpublic Information.
Note, the DFS has advised that it is insufficient to rely solely on the Certification of Compliance submitted by the Third-Party Service Providers to the DFS under the Regulation as their only means of evaluating their compliance with this milestone.
There have been a number of milestones for Covered Entities to address since the Regulation went into effect on March 1, 2017.
The process of developing and implementing Third Party Service Provider policies can be cumbersome and time-consuming given to the complexity of the relationships your company may have with a variety of Third-Party Service Providers.
Begin as soon as possible, as there are often several components to the analysis and March 1, 2019 is nearing.
Because the DFS Regulation says so.
The contents of the Regulation,23 NYCRR Part 500, can be found here: https://www.dfs.ny.gov/legal/regulations/adoptions/dfsrf500txt.pdf.
How (to take Next Steps)?
Consult legal counsel to confirm whether your policies comply with the Regulation and other applicable laws.
The attorneys at Beckage PLLC can help you navigate through policy drafting the Third-Party Service Provider risk assessment and other regulatory compliance matters by offering practical legal advice that will help arm your company with the knowledge to assist in making sound business decisions.
DISCLAIMER: This alert is for general information purposes only. It does not constitute legal advice, or the formation of an attorney-client relationship, and may not be used and relied upon as a substitute for legal advice regarding a specific issue or problem. Advice should be obtained from a qualified attorney or practitioner licensed to practice in the jurisdiction where that advice is sought. If you have any questions, please contact an attorney at Beckage: www.beckage.com or firstname.lastname@example.org.
Attorney Advertising: Prior results do not guarantee a similar outcome.
The New York State Department of Financial Services issued a Cybersecurity Regulation (23 NYCRR 500)(“Regulation”) that went into effect on March 1, 2017. The Regulation carried with it several compliance milestones applicable to “Covered Entities” under the Regulation, which includes those entities that are operating or required to operate under the New York insurance, finance and banking laws.
SUMMARY OF COMPLIANCE MILESTONES TO DATE
The Regulation first required Covered Entities to establish a number of Cybersecurity and IT policies and procedures by August 28, 2017. Next,Covered Entities were required to submit a Certification to the Department of Financial Services by February 5, 2018, that they complied with the first milestone under the Regulation. By March 1, 2018, the Regulation required Covered Entities to additional CISO reporting,Annual Penetration Testing and Vulnerability Assessments, Risk Assessments and implement Multi-Factor Authentication where necessary based on the results of the Risk Assessments.
The most recent milestone was on September 3, 2018. Covered Entities were responsible for establishing audit trails to reconstruct material financial transactions creating policies and procedures around in-house developed applications and assessing the security of externally developed applications. In addition, Covered Entities were required to establish policies on Data Retention limitations, continue Cybersecurity training and monitoring and develop procedures for the encryption of Non-Public Information that is transmitted over external networks and at rest, unless infeasible.
NEW MILESTONE – MARCH 1, 2019 DEADLINE
The next compliance milestone pertains to Third Party Service Providers. This milestone must be met by March 1, 2019 and involves the oftentimes complex process of evaluating the Third-Party Service providers utilized by your company. This process can be a cumbersome and time-consuming given to the complexity of the relationships your company may have with a variety of Third-Party Service Providers. Accordingly, it is recommended that you begin this process as soon as possible as there are often several components to the analysis.
SUGGESTED NEXT STEPS
Moving towards the March deadline, Covered Entities should assess the risk that each Third-Party Service Provider poses to their data and systems and then determine an effective solution to address those risks. It is insufficient to rely solely on the Certification of Compliance submitted by theThird-Party Service Providers the DFS under the Regulation as their only means of evaluating their compliance with this milestone.
Covered Entities should take steps to determine what, if any, Third Party Service Providers are being utilized by the company, evaluate them as it relates to security, and review the relevant policies and procedures. Covered Entities should consider whether or not it makes sense to require Third Party Service Providers to carry adequate insurance including Cyber Insurance to cover both the entity and the Covered Entity should a breach occur.
ADDITIONAL INSIGHT INTO THE REGULATION
It is helpful to note that the DFS regularly answers FAQs pertaining to the DFS Cybersecurity Regulation that provide valuable insight. The complete list of FAQs can be found at the following link: https://www.dfs.ny.gov/about/cybersecurity_faqs.htm
The contents of 23 NYCRR Part 500 can be found here: https://www.dfs.ny.gov/legal/regulations/adoptions/dfsrf500txt.pdf
The attorneys at Beckage PLLC are fully equipped to help you navigate through the Third-Party Service Provider Risk Assessment and all other components required under the Regulation by offering practical legal advice that will help arm your company with the knowledge to assist in making sound business decisions.
DISCLAIMER: This alert is for general information purposes only. It does not constitute legal advice, or the formation of an attorney-client relationship, and may not be used and relied upon as a substitute for legal advice regarding a specific issue or problem. Advice should be obtained from a qualified attorney or practitioner licensed to practice in the jurisdiction where that advice is sought. If you have any questions, please contact an attorney at Beckage. www.beckage.com.or email@example.com.
Attorney Adverting: Prior results to not guarantee a similar outcome.