New cybersecurity requirements for Department of Financial Services (DFS)-regulated entities took effect on March 1, 2017. The New York DFS created these requirements in response to recent or potential threats to sensitive electronic information, particularly financial information and private consumer information. EY's report provides an overview of the new framework with implications for the affected entities. A main goal is to protect information systems of the affected entities and the non-public information stored in those systems.
The new cybersecurity requirements include indications for the below-noted areas. An annual statement certifying compliance with these requirements must be submitted to the Superintendent by February 15th. In the context of a M&A transaction, purchasers considering the acquisition of a DFS-regulated entity should conduct effective due diligence to ensure the target is in compliance with these new requirements.
Risk assessment
Each entity must periodically assess the risk to its information systems from a cybersecurity standpoint. This assessment must be in accordance with defined policies and is to inform the cybersecurity program and policies developed under the new requirements.
Cybersecurity program
Each entity must maintain a cybersecurity program that performs enumerated cybersecurity functions including the identification and detection of, protection against, response to, and recovery from cybersecurity events and risks, including an incident response plan. The entity must also manage access to its non-public information by maintaining user access privileges, having policies on data retention, monitoring access, providing training regarding access, and implementing encryption or encryption-like protection for non-public information held or transmitted by the entity, including over external networks. The entity must also ensure that its (or third-party) development of computer applications meet defined security-related standards. Further, the entity must perform penetration testing and vulnerability assessments on its cybersecurity program at a specified frequency and in accordance with the risks identified by its risk assessment.
Cybersecurity policies
Each entity must adopt a written policy or policies that address, as applicable, 14 enumerated items relating to information access management, security, data governance, business continuity and recovery, and risk assessment and response. Further, each entity must adopt written policies applicable to information systems and non-public information that are accessible to its third party service providers.
Chief Information Security Officer (CISO) and personnel
Each entity must designate a CISO who is responsible for managing and enforcing the cybersecurity program and policies. The CISO must prepare a written report to the entity's board of directors. The entity must also have qualified cybersecurity personnel who are trained in addressing cybersecurity risks.
Notices to Superintendent and record keeping
In the event of a material cybersecurity event, the entity must notify the Superintendent within 72 hours.
Additionally, the entity must maintain records that support its annual certification of compliance with these requirements, as well as certain audit trails that can help support its normal operations and that can detect and respond to material cybersecurity events.
The author would like to thank Larissa Leong, Articling Student, for her assistance in preparing this legal update.
About Norton Rose Fulbright Canada LLP
Norton Rose Fulbright is a global law firm. We provide the world's preeminent corporations and financial institutions with a full business law service. We have 3800 lawyers and other legal staff based in more than 50 cities across Europe, the United States, Canada, Latin America, Asia, Australia, Africa, the Middle East and Central Asia.
Recognized for our industry focus, we are strong across all the key industry sectors: financial institutions; energy; infrastructure, mining and commodities; transport; technology and innovation; and life sciences and healthcare.
Wherever we are, we operate in accordance with our global business principles of quality, unity and integrity. We aim to provide the highest possible standard of legal service in each of our offices and to maintain that level of quality at every point of contact.
For more information about Norton Rose Fulbright, see nortonrosefulbright.com/legal-notices.
Law around the world
nortonrosefulbright.com
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
