Comments on New York’s Proposed Regulation 23 NYCRR 500 relating to Cybersecurity Requirements Due November 14, 2016; ELANY Comments

 

The Excess Line Association of New York noted today, November 1, 2016, that it has submitted comments to the New York Department of Financial Services and made a number of recommendations to change the Proposed Regulation 23 NYCRR 500 relating to Cybersecurity Requirements.   

To view the letter, click here.

The comment period on the proposed Rule ends on November 14.

Proposed Regulation 23 NYCRR 500 relating to Cybersecurity Requirements requires New York-regulated financial institutions to establish a cybersecurity program; adopt a written cybersecurity policy; designate a Chief Information Security Officer responsible for implementing, overseeing and enforcing its new program and policy; and have policies and procedures designed to ensure the security of information systems and nonpublic information accessible to, or held by, third-parties, along with a variety of other requirements to protect the confidentiality, integrity and availability of information systems.

New York’s tough new proposed Rule follows last year’s federal passage of the Cybersecurity Information Sharing Act, which provides important tools designed to strengthen the nation’s cybersecurity, particularly by making it easier for private companies to share cyber threat information with each other and the government.  Earlier this year, the Obama Administration’s implemented the Cybersecurity National Action Plan, which takes near-term actions and puts in place a long-term strategy to enhance cybersecurity awareness and protections, protect privacy, maintain public safety as well as economic and national security, and empower Americans to take better control of their digital security. 

Meanwhile, in New York, ELANY relates that a number of brokers have asked what steps to take as rule development is underway for Proposed Regulation 23 NYCRR 500.

ELANY recommends:

• If companies do not yet have a Cybersecurity Policy and a Cybersecurity Program, then they should designate an appropriate employee or committee to draft a draft policy and draft program based upon the elements set forth in the Proposed Regulation; or
• If companies DO have an existing Cybersecurity Policy and Program, delegate an appropriate employee or committee the responsibility to compare their existing Cybersecurity Policy and Program to the requirements of the Proposed Regulation.

ELANY cautions:  “While taking the steps noted above makes sense as good preparation for cybersecurity that a broker might choose to adopt without regard to the promulgation of a regulation, be aware that the regulation may be substantially amended before it is implemented and its current planned implementation date of January 1, 2017 could be deployed.  As such, it is a good idea to prepare a Cybersecurity Policy and Plan.   However, you may want to be careful not to incur significant expenses until the requirements of a final adopted regulation are clear.”

Below are pertinent materials and the press release detailing Proposed Regulation 23 NYCRR 500:

• Proposed 23 NYCRR 500 (PDF) Cybersecurity Requirements for Financial Services Companies
• Notice of Proposed Rulemaking (PDF)
• Summary (PDF)
• SAPA (PDF)
• Executive Order No. 17 (PDF)

Date Filed with the Secretary of State: September 13, 2016

Date Published in State Register: September 28, 2016

Public comment period ends on November 14, 2016

 

GOVERNOR CUOMO ANNOUNCES PROPOSAL OF FIRST-IN-THE-NATION CYBERSECURITY REGULATION TO PROTECT CONSUMERS AND FINANCIAL INSTITUTIONS

Proposed Rule Aims to Protect Consumer Data and Financial Systems from Terrorist Organizations and Other Criminal Enterprises

Governor Andrew M. Cuomo announced on September 13, 2016 that a new first-in-the-nation regulation has been proposed to protect New York State from the ever-growing threat of cyber-attacks. The regulation requires banks, insurance companies, and other financial services institutions regulated by the State Department of Financial Services to establish and maintain a cybersecurity program designed to protect consumers and ensure the safety and soundness of New York State’s financial services industry.

“New York, the financial capital of the world, is leading the nation in taking decisive action to protect consumers and our financial system from serious economic harm that is often perpetrated by state-sponsored organizations, global terrorist networks, and other criminal enterprises,” said Governor Cuomo.  “This regulation helps guarantee the financial services industry upholds its obligation to protect consumers and ensure that its systems are sufficiently constructed to prevent cyber-attacks to the fullest extent possible.”

The proposed regulation is subject to a 45-day notice and public comment period following the September 28, 2016 publication in the New York State register before its final issuance.  It requires regulated financial institutions to establish a cybersecurity program; adopt a written cybersecurity policy; designate a Chief Information Security Officer responsible for implementing, overseeing and enforcing its new program and policy; and have policies and procedures designed to ensure the security of information systems and nonpublic information accessible to, or held by, third-parties, along with a variety of other requirements to protect the confidentiality, integrity and availability of information systems.

More details on the regulation can be found here.  All questions and comments regarding the proposed rule should be emailed to CyberRegComments@dfs.ny.gov.

The proposed regulation by the Department of Financial Services includes certain regulatory minimum standards while maintaining flexibility so that the final rule does not limit industry innovation and instead encourages firms to keep pace with technological advances.

New York State Department of Financial Services Superintendent Maria T. Vullo said, “Consumers must be confident that their sensitive nonpublic information is being protected and handled appropriately by the financial institutions that they are doing business with.  DFS designed this groundbreaking proposed regulation on current principles and has built in the flexibility necessary to ensure that institutions can efficiently adapt to continued innovations and work to reduce vulnerabilities in their existing cybersecurity programs. Regulated entities will be held accountable and must annually certify compliance with this regulation by assessing their specific risk profiles and designing programs that vigorously address those risks.”

Prior to proposing this new regulation, the Department of Financial Services surveyed nearly 200 regulated banking institutions and insurance companies to obtain insight into the industry’s efforts to prevent cybercrime.  Additionally, it met with a cross-section of those surveyed, as well as cybersecurity experts, to discuss emerging trends and risks, as well as due diligence processes, policies and procedures governing relationships with third party vendors.  The findings from these surveys led to three reports which helped to inform the rulemaking process.

 

 

Should you have any questions or comments, please contact Colodny Fass.

 

 

Click here to follow Colodny Fass on Twitter (@ColodnyFassLaw)

 

 

 

To unsubscribe from this newsletter, please send an e-mail to colodnyfassnews@gmail.com.