Akin Gump Strauss Hauer & Feld LLP

On September 1, 2018, five new requirements included in the New York State Department of Financial Services’ (DFS) Cybersecurity Regulation go into effect – (1) audit trails, (2) application security, (3) data disposal requirements, (4) monitoring authorized users’ activity, and (5) encryption of nonpublic information. Of these, the requirement to encrypt nonpublic information when held at rest or transmitted over external systems may be the most burdensome for businesses. Entities that fall within the Regulation’s limited exemption provided in Section 500.19(a) (e.g., fewer than 10 employees, less than $5 million in gross annual revenue for last three years, or less than $10 million in year-end total assets) are exempt from complying with any of these provisions, aside from the data disposal requirement. All other covered entities are expected to be in compliance as of September 1.

DFS has not yet provided guidance as to when it will begin to penalize noncompliance with the Regulation, or what penalties may look like. Absent additional insight, covered entities would be wise to take action now to ensure they are in compliance with the Regulation.

  1. Audit Trails – Section 500.06 requires all non-exempt covered entities to maintain systems to facilitate reconstruction of material financial transactions and cybersecurity audit trails, and to retain related records for three to five years. Covered entities are expected to have systems in place to reconstruct material financial transactions sufficient to support the entities’ normal operations and obligations. Records related to these systems must be maintained for five years. Covered entities also must have audit trails designed to detect and respond to cybersecurity events that have a reasonable likelihood of materially harming any material part of their normal operations. Records related to these audit trails must be maintained for three years.
  2. Application Security – Section 500.08 requires all non-exempt covered entities to include in their cybersecurity programs written policies and procedures to (1) ensure secure development practices for internally-developed applications, and (2) to evaluate, assess, or test the security of externally-developed applications they utilize.
  3. Data Disposal Requirements – Section 500.13 requires all covered entities, including those covered by the limited exemption, to include in their cybersecurity programs policies and procedures for the secure disposal of nonpublic information that is no longer necessary for business operations or for other legitimate business purposes. Covered entities are permitted to retain such information if they are otherwise required to retain it by another law or regulation, or where targeted disposal is not reasonably feasible due to the manner in which the information is maintained.
  4. Monitoring Authorized Users’ Activity – Section 500.14(a) requires all non-exempt covered entities to implement risk-based policies, procedures, and controls to monitor the activity of authorized users and detect if those users are improperly using or tampering with nonpublic information. The definition of authorized users includes employees, contractors, agents or other persons who participate in a covered entity’s business operations and are authorized to access and use any information systems and data of the covered entity. As a result, this provision potentially requires the monitoring of a broad range of personnel.
  5. Encryption of Nonpublic Information – Section 500.15 requires all non-exempt covered entities to, as part of their cybersecurity program based on their risk assessments, implement controls, including encryption or use another effective alternative control, to protect all nonpublic information when held or transmitted over external systems by the covered entity. If they determine that encryption is infeasible either for information at rest or in transit, covered entities may only use an effective alternative control if the alternative is reviewed and approved by their chief information security officer. This encryption requirement is in keeping with developing best practices in some industries.

After September 1, the next and last of the Regulation’s rolling implementation deadlines is March 1, 2019 when all covered entities, even those subject to the limited exemption, are required to have a third party service provider policy in place. As of March 1, 2019, all provisions of the Cybersecurity Regulation will be in force.