By Robert S. Pastel, Esq.
Revised Proposed Cybersecurity regulation
The proposed Cybersecurity regulation was substantially revised and published in the State Register. There is a new public comment period, ending Friday, January 27. The revisions incorporate many of the changes to more than 150 comments received. Overall the revisions have been positive, tailoring the regulation to a more risk-based approach, tightening up the definitions, providing more time for compliance for the provisions, tailoring the notification to DFS to within 72 hours of a cybersecurity event where there is a reasonable likelihood of materially harming any material part of normal operations, and expanding the limited exemptions. DFS may be receptive to minor technical changes.
The limited exemption that could apply to some wholesalers was expanded. This provision, 500.19 (a), partially exempts covered entities, which includes agents, brokers and excess line brokers, with fewer than 10 employees (including any independent contractors) OR less than $5 million in gross annual revenue in the last three fiscal years OR has less than $10 million in year-end total assets. However, this is a limited exemption, these entities must still have a cybersecurity program, cybersecurity policy, limitation on access privileges, and a third party provider security policy. Some of these requirements have a longer transition period.
Those covered entities that qualify for an exemption must file a Notice of Exemption with the DFS. In the event that they no longer qualify for the limited exception, the other provisions of the regulation would apply to them.
Also, 500.19(b) exempts out employees, agents, representatives or designees of a Covered Entity to the extent the Covered Entity covers those individuals under their own Cybersecurity Program. We have to look at this provision carefully, since it does not mention “brokers.”
Finally, 500.19(c) exempts out Covered entities that do not directly or indirectly operate or control any information systems that do not possess Non-public information (a defined term) from all the provisions EXCEPT the requirement for a Risk Assessment and Third Party Service Security Policy. All covered entities must comply with the all of the following, except for those which qualify for a limited exemption per above, who must comply with the yellow highlighted provisions only.
Additionally, the new proposed Effective Date of Regulation is March 1, 2017; with compliance by entities within 180 days, or August 28, 2017. The Certification of Compliance to DFS becomes effective as of February 15, 2018. There are transition periods for compliance with the provisions, however, which extends as noted below. Remember, also, that under current Insurance Regulations, as licensees, wholesalers are already required to have risk assessment programs in place.
Transitional dates noted below, otherwise, covered entity must be in compliance by August 28, 2017.
Compliance for the following is required by August 28, 2017:
500.02 Cybersecurity program
500.03 Cybersecurity Policy
500.07 Access Privileges
500.10 Cybersecurity Personnel and Intelligence
500.16 Incident Response Plan
500.17 Notices to Superintendent (a) Notice of Cybersecurity event.
Certification of compliance to DFS: February 1, 2018
Compliance for covered entities is required as of March 1, 2018:
500.04 Chief Information Security Officer—; March 1, 2018
500.05 Penetration Testing and Vulnerability Assessments—March 1, 2018
500.09 Risk Assessment March 1, 2018
500.12 Multi-Factor Authentication – March 1, 2018
Compliance for the following covered entities is required as of September 1, 2018:
500.06 Audit Trail—September 1, 2018
500.08 Application Security – September 1, 2018
500.13 Limitations on Data retention – September 1, 2018
500.14 Training and Monitoring—
(a)(1) (Implementation of monitory activity of Authorized Users and detection of unauthorized users.) September 1, 2018
500.15 Encryption of Nonpublic Information— September 1, 2018
Compliance for the following is required as of March 1, 2019.
500.11 Third Party Service Provider Security Policy – March 1, 2019
Note: Even those covered entities with a limited exemption are required to comply with the yellow highlighted provision. A copy of the revised regulations can be found at http://www.dfs.ny.gov/legal/regulations/proposed/rp500t.pdf.