Not quite; but cybersecurity and information governance folks need to pay attention to these changes.
Two years ago, New York’s Department of Financial Services (DFS), which regulates companies in the financial services industry, promulgated regulations in an effort to establish minimum cybersecurity requirements for companies that do business in New York (see, 23 NYCRR 500 or click here).
Last month marked the deadline for certain regulatory activities required under the new DFS rules. How many companies have complied is anyone’s guess, but it seems useful to remind legal operations personnel and their IT security folks of their compliance obligations.
Under the regulations, any DFS regulated entity doing business in New York is required to establish an internal cybersecurity program to protect information assets under their control. Organizations with less than 10 employees or revenue below $5 million or year-end assets under $10 million are exempt from some of the more onerous requirements. But it appears that even these smaller entities still have obligations to limit access to information, assess their risk, implement policies related to third-party data control and their own data disposition. All regulated entities are also obligated to report a breach event regardless of size.
Basically, the DFS is forcing financial services companies to implement information governance policies. This is not necessarily a terrible thing because, as I’ve indicated time and again, knowing what information an organization has, how it’s created, accessed and where it’s stored and secured just makes good business sense.
Still, a few things stand out about these new regulations that many organizations may not have considered.
First, the third-party requirements in section 500.11 require all covered entities to implement policies and procedures “to ensure the security of Information Systems and Nonpublic Information that are accessible to, or held by, Third Party Service Providers.” Based on this language, it appears that any entity using a third-party service provider to process, review or store nonpublic information will need to ensure that the third-party also has the minimum information security protections in place.
Knowing what I know about how a client’s electronically stored information might find its way to a law firm or e-discovery vendor, it seems pretty clear that the DFS regulations impact more than just the covered entities. Significantly, it is for this requirement that the deadline to comply recently passed. So, if you have not already done so, it would be prudent to consider how this third-party requirement impacts your organization.
Second, while it seems unlikely that we will see the kind of GDPR-like fines we’ve recently read about, the DFS regulations don’t speak much to the question of penalties for failure to comply. Section 500.20 speaks to enforcement, and the superintendent of DFS has regulatory enforcement powers under the NYS Banking Law, but unless you’ve been through that process, how do you know what potential fines await the non-compliers?
In short, fines for DFS regulatory violations can range from a few thousand dollars up to $75,000 or higher. These fines can be imposed on a daily basis, meaning that for each day an organization is not in compliance the fines may accrue.
Third, many articles about the DFS cybersecurity regulations firmly make the point that companies need to comply with the new requirements unless they are exempt from compliance. What I have not seen emphasized as much is the need for all organizations licensed or regulated by the DFS, exempt or not, to meet certain cybersecurity requirements. It does not appear that even smaller entities are exempt from the requirements related to access to information (500.07), performance of a risk assessment (500.09), or the retention and data disposition requirements (500.13).
As the DFS superintendent made clear in a December 21, 2018 memorandum addressed to CEOs of regulated entities:
“By March 1, 2019, all banks, insurance companies, and other financial services institutions and licensees regulated by DFS will be required to have a robust cybersecurity program in place that is designed to protect consumers’ private data . . .. The regulation sets forth certain limited exemptions, many of which still require certain cybersecurity programs and practices.”
If you think your organization is exempt from compliance, you might want to double check because March 1st was the deadline for compliance and, well, you can do the math on the fines if your organization has not complied.
(This article originally appeared on Above the Law in a slightly altered format)