FREE SUBSCRIPTION Includes: The Advisor Daily eBlast + Exclusive Content + Professional Network Membership: JOIN NOW LOGIN
Skip Navigation LinksHome / Articles / Read Article

Print

New Cybersecurity Regulations Will Impact Your Business in Surpising Ways

By:
Date: Mar 07, 2017 @ 07:00 AM
Filed Under: Legal

Despite the panoply of cybersecurity and data security breach laws currently in place at both the federal and state level, the unprecedented action of one New York state agency is poised to change the regulatory landscape relating to cybersecurity nationwide. The New York State Department of Financial Services (DFS), which is responsible for overseeing and regulating entities licensed, registered or authorized under the New York Banking Law, Insurance Law or Financial Services Law, has released the final version of cybersecurity regulations ostensibly aimed at entities subject to DFS regulation. The new rules went into effect on March 1, 2017, and have appropriately been hailed as “first-in-the-nation.”

While the knee-jerk reaction – undoubtedly born from years of over-the-top warnings about impending doom from cyber threats – is to glaze over and let your IT Department worry about implementing appropriate measures, the NY Regulations cannot be ignored: not necessarily because of their draconian requirements (of which there are some), but because they have the potential to usher in a new wave of national compliance that will be confusing, complicated and costly no matter the size of your business or whether you are, in fact, located in New York.

New York rightly views itself as the steward of the financial services industry and, by putting forth the NY Regulations, has picked up the gauntlet in an effort to establish “certain regulatory minimum standards.”¹

Indeed, when announcing the NY Regulations, Governor Cuomo stated that, "New York is the financial capital of the world, and it is critical that we do everything in our power to protect consumers and our financial system from the ever increasing threat of cyber-attacks. These strong, first-in-the-nation protections will help ensure this industry has the necessary safeguards in place in order to protect themselves and the New Yorkers they serve from the serious economic harm caused by these devastating cyber-crimes."²

Given the comprehensive nature of the NY Regulations and New York’s prominent role in the financial services industry, the NY Regulations will unquestionably prompt other states to enact similar regulatory standards.

While the banking, insurance and financial services industries are already subject to heavy cybersecurity regulation under federal and state laws, the NY Regulations broaden the cybersecurity requirements upon those entities subject to the oversight of the DFS (Covered Entities) by, among other things, mandating that they conduct risk assessments of their systems, establish cybersecurity programs to respond to attempted or actual unauthorized access to information systems and annually certify compliance with the NY Regulations. However, the NY Regulations extend well beyond Covered Entities, expanding the reach to entities not regulated by the DFS at all, but which are affiliated with or provide services to Covered Entities.

In this regard, the impact of the NY Regulations is not limited to funding sources, but will undoubtedly be felt by vendors, brokers and even repossession companies involved in the equipment leasing and finance industry. Accordingly, all of the players in our industry need to understand what may be required under the NY Regulations by virtue of contracting with or servicing a Covered Entity and begin assessing next steps and implementing policies due to the compressed time-frame imposed under the NY Regulations.

Not surprisingly, the NY Regulations received hundreds of comments and significant criticism from those affected (including a submission from the Equipment Leasing and Finance Association on behalf of its members), which prompted the DFS to make revisions to the originally proposed regulations. While the final revised NY Regulations provide some relief from the stringent requirements contained in the original proposal, they remain broad in their application and extensive in their mandates. Therefore, it is crucial to understand who the NY Regulations apply to and what is required to ensure compliance in accordance with the implementation timeframes.

Who do the NY Regulations apply to?

On their face, the NY Regulations apply to "Covered Entities," which is defined as "any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law." Fortunately, if there is any question about who is subject to oversight by the DFS, the DFS website has a public database that is searchable by the entity name.³

The only exemption to compliance is for a Covered Entity that: (i) employs fewer than ten employees (including independent contractors) in New York or (ii) has less than $5 million in gross annual revenue in each of the last three fiscal years from New York business operations or (iii) has less than $10 million in year-end total assets.

Whether or not you are a Covered Entity does not end the inquiry. The NY Regulations extend the reach of certain provisions by requiring that Covered Entities ensure that “Affiliates” and “Third Party Service Providers” comply with minimum cybersecurity practices. This means that any Person controlled by a Covered Entity or any Person that provides services to the Covered Entity and maintains or has access to “Nonpublic Information” will likely be subject to many of the mandates of the NY Regulations. “Nonpublic Information” is unique to the NY Regulations and generally includes any personal information of an individual (name, number etc.) that can be used to identify him or her in combination with a social security number, driver’s license/non-driver identification card number, account or credit card number, security or access code or password permitting access to such individuals’ financial records or biometric records.

The range of companies and services subject to the NY Regulations is thus extensive. For example, a vendor that gathers an individual’s personal information for a financing application on behalf of a Covered Entity would be subject to the minimum cybersecurity requirements established by the Covered Entity (discussed further below) even if the vendor is located in California and not otherwise required to be licensed under New York’s Banking, Insurance, or Financial Services Laws.

What do the NY Regulations require?

A key aspect of the revised NY Regulations was the recognition by the DFS that Covered Entities’ risk profiles are not “one size fits all.” As such, a Covered Entity is required to undertake a periodic Risk Assessment of its information systems to identify controls necessary to protect the Covered Entity’s business, Nonpublic Information and information systems. Based upon the Risk Assessment, the Covered Entity must implement a cybersecurity program that is designed to protect the confidentiality and availability of the information system and establish and implement a written cybersecurity policy that sets forth the policies and procedures for protecting Nonpublic Information.

The cybersecurity program must identify and assess cybersecurity risks, and detect, respond to, and recover from “Cybersecurity Events,” which include attempted as well as actual unauthorized access to information systems. This individualized approach is meant to afford the Covered Entity some flexibility in tailoring a program to its specific needs. Nonetheless, Covered Entities must still meet stringent reporting requirements (including annual certification that they are complying with the NY Regulations), designate personnel to oversee and enforce the cybersecurity program and conduct continuous monitoring and testing.

Covered Entities must also implement written policies and procedures for Third Party Service Providers that comply with the Covered Entity’s Risk Assessment to ensure the security of Nonpublic Information held by or accessible to Third Party Service Providers. The Covered Entity must specify the “minimum cybersecurity practices” required to be met by the Third Party Service Providers, ensure the Third Party Service Providers’ use of multi-factor authentication and/or encryption (as needed) to limit access to Nonpublic Information, and require notice to be provided to the Covered Entity in the event of a Cybersecurity Event. The NY Regulations envision that these requirements will be imposed on the Third Party Service Providers via guidelines for due diligence and/or contractual provisions.

Depending upon the cybersecurity policies and technologies already employed by a Third Party Service Provider, compliance may be difficult and expensive, not to mention complicated, given the Third Party Service Provider’s potential compliance with other state and federal laws. By way of example, a vendor may not have the technology or personnel in place to rapidly monitor and detect a Cybersecurity Event (let alone one that was unsuccessful), but may nevertheless be contractually obligated to report such an event within 72 hours to the Covered Entity so the Covered Entity can, in turn, report the incident to the DFS. Failure to report could result in the vendor defaulting on its contractual obligations with the Covered Entity.

When do the requirements imposed by the NY Regulations have to be implemented?

As noted above, the NY Regulations become effective March 1, 2017. However, compliance with certain significant provisions has been staggered to permit the Covered Entities to implement the cybersecurity program. Covered Entities will have between 180 days and two years from the effective date of the NY Regulations to comply with the requirements. Cybersecurity programs and cybersecurity policies must be established and implemented within 180 days of the effective date, while Covered Entities have two years from the effective date to establish policies and procedures for Third Party Service Providers.

The Takeaway

While most Covered Entities may already have appropriate cybersecurity measures in place due to existing federal and state regulations, the NY Regulations not only create new obligations, but will likely serve as a trigger point for increased state regulation of cybersecurity policy. Regardless of which states ultimately follow New York’s lead, the fact remains that the NY Regulations may affect your business no matter your size or where you conduct business.

Covered Entities pass through some or all of the requirements under the NY Regulations to ensure compliance with the NY Regulations. Although the NY Regulations are silent about the penalties for violation of the NY Regulations, under the authority of the superintendent, DFS with presumably be able to impose civil monetary penalties or seek injunctive relief for noncompliance, prompting Covered Entities to be vigilant in ensuring their service providers are complying with the Covered Entities’ written cybersecurity policies and contractual provisions. Thus, it is critical for a Covered Entity as well as any vendor, broker, repossession company, or any other party in the equipment leasing and financing industry dealing with a Covered Entity, to immediately begin assessing the steps necessary to ensure they are prepared to meet the requirements of the NY Regulations.

___________________________

FOOTNOTES:

¹ 23 NYCRR 500.

² Press Release, “Governor Cuomo Announces First-in-the-Nation Cybersecurity Regulation Protecting Consumers and Financial Institutions from Cyber-Attacks to Take Effect March 1,” http://www.dfs.ny.gov/about/press/pr1702161.htm (Feb. 16, 2017).

³ https://myportal.dfs.ny.gov/web/guest-applications/who-we-supervise. However, note the not-so-subtle language in the definition that the NY Regulations apply not only to those that are regulated by the DFS, but those “required to operate” under the authority of DFS.

 

Photos of Robert L. Hornby, Member, Chiesa Shahinian & Giantomasi and Frank Peretore, Esq., Member, Chiesa Shahinian & Giantomasi



Comments From Our Members

You must be an Equipment Finance Advisor member to post comments. Login or Join Now.