Legal experts say New York-registered service contract providers must take immediate action to comply with the state's new Cybersecurity Regulation before the looming deadline at the end of next month, and before the state's regulators levy heavy fines and penalties to send a message to the industry.
Editor's Note: This column, written by Locke Lord attorneys
Brian T. Casey and Thomas D. Sherman, is the latest in an ongoing
series of contributed editorial columns. Readers interested in
authoring a contributed column in the future can click here to
see the Guidelines for Editorial Submissions page.
Under the New York Insurance Law, service contract providers, which include issuers of vehicle service contracts (including the service contract affiliates of auto manufacturers) and vehicle protection products, cellphone and computer equipment service contracts, and home appliance service contracts that are required to register with the New York State Department of Financial Services (NYDFS), must also comply with certain statutory and regulatory requirements.
Accordingly, service contract providers transacting business in New York State must take action immediately to meet the August 28, 2017 initial compliance date of the new NYDFS cybersecurity regulation, which became effective March 1, 2017. The new regulation (Part 500 of Title 23 of the Official Compilation of Codes, Rules and Regulations of the State of New York) imposes requirements on New York Licensees (among others regulated under the New York banking, insurance or financial services laws). Although the regulation provides certain limited exceptions, even so-called exempt individuals and entities must act now to achieve compliance by August 28.
Other states and perhaps even the federal government may look to the NYDFS regulation as a standard and model for minimum cybersecurity requirements for businesses operating in the financial services, insurance and service contract industries. For example, the Cybersecurity Working Group of the NAIC recently published its fifth draft of an Insurance Data Security Model Act, which incorporates certain key features of the New York regulation.
Therefore, whether or not registered with the NYDFS, each participant in the service contract industry in other jurisdictions should study carefully and consider the new regulation, review its existing cybersecurity program against the New York requirements, and treat those requirements as the next step in the evolution of best practices for reducing the vulnerability of information systems and nonpublic information under its (and its third party service providers) control. As a result, the regulation will require most participants in the service contract industry to elevate these issues to a "C" level priority, increase their technology spend and commit other resources to address the new obligations.
Covered Entities and Limited Exemptions
New York-registered service contract providers are squarely within the definition of "covered entities" subject to the regulation. A covered entity is any person operating, or required to operate, under a license, registration, charter, certificate, permit, accreditation or similar authorization under New York's banking laws, insurance laws or financial services laws, which includes service contract providers. Limited exemptions from many (but not all) of the new requirements apply to covered entities with:
- fewer than 10 employees (including independent contractors) of the covered entity or its affiliates located in New York or responsible for the business of the covered entity, or
- less than $5 million in gross annual revenue in each of the past three years from New York business operations of the covered entity and its affiliates, or
- less than $10 million in year-end total assets (including assets of all affiliates) calculated in accordance with Generally Accepted Accounting Principles.
The regulation also exempts any covered entity that does not directly or indirectly (1) operate, maintain, utilize or control any information systems or (2) control, access, own, generate, receive or possess any nonpublic information, but it is difficult to imagine any business in the service contract industry that would fit this exemption. An employee, agent, representative or designee of a covered entity that is covered by the cybersecurity program of the covered entity need not develop its own cybersecurity program to the extent covered by the cybersecurity program of the principal covered entity.
Covered entities claiming an exemption must file a Notice of Exemption through the prescribed NYDFS website portal within 30 days after the covered entity determines it is exempt, beginning August 28, 2017 (i.e., must file the claim for exemption no later than September 27, 2017). This notice requirement applies to an employee, agent, representative or designee of a covered entity that is covered by the cybersecurity program of the covered entity.
Covered entities that are subject to these limited exemptions must continue to monitor and assess applicability of the regulation, because any covered entity that no longer qualifies for a limited exemption as of its most recent fiscal year-end must comply with all of the applicable requirements of the regulation within 180 days after its fiscal year-end.
All covered entities, even those that qualify under one of the limited exemptions outlined above, must satisfy the following requirements of the regulation:
- adopt, develop, implement and maintain a cybersecurity program,
- develop a written cybersecurity policy,
- limit user access privileges to its information systems,
- conduct periodic risk assessments,
- implement written policies relating to third party service providers,
- design and implement data management (creation, retention and disposition) policies, including with respect to the secure destruction of Nonpublic Information,
- notify the New York Superintendent of Financial Services of the occurrence of certain types of data security breaches, and
- annually certify compliance with the regulation to the New York Superintendent of Financial Services.
Relationships that covered entities have with third party service providers present a challenge. Under the regulation, a covered entity must assess the cybersecurity risks associated with, and implement written policies and procedures designed to ensure the security of, information systems and nonpublic information that are accessible to or held by third party service providers.
In the service contract provider industry context, such third party service providers might include service contract administrators (responsible for the administration of service contracts, including servicing, claims management and processing, recordkeeping, customer service and collection of fees), auto dealers that sell vehicle service contracts (as sales agents), and sellers (sales agents) of consumer electronics service contracts (which might include big box and online retailers). Requiring a New York licensee to assess the cybersecurity program of a large manufacturer, retailer, financial institution, cellphone equipment or system company, for example, seems to turn the risk assessment game on its head.
Information and Systems That Must Be Protected
The regulation requires the protection of nonpublic information and information systems. Nonpublic information is defined, in part, as (i) electronic information that is not publicly available, the tampering with which, or unauthorized disclosure, access or use of which, would cause a material adverse impact on the business, operations or security of the covered entity; and (ii) personal information (as the term is commonly used in other privacy and security laws and regulations, including state insurance law and regulations adopted pursuant to the Gramm-Leach-Bliley Act), such as Social Security numbers, driver's license numbers, account numbers, and related security or access codes, passwords and biometric records. Information systems are defined broadly to include industrial/process controls, telephone switching, and HVAC systems.
It is important to note that the regulation requires covered entities to protect the personal information of any individual, not just New York residents. It is not uncommon for service contract industry participants to receive, hold and disclose large amounts of personal information about service contract holders, their own employees, and others.
The regulation applies to a covered entity's information systems, which are defined as any electronic information resource and system organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of electronic information, as well as any specialized system which handles electronic information such as industrial/process controls, telephone switching, private branch exchange, and environmental control systems. Information systems maintained by or for a covered entity must be protected, whether they are located within or without the State of New York.
The regulation imposes extensive requirements for specific policies and procedures; for hiring, training and monitoring of appropriate personnel; and for the implementation of various technical requirements. Many of these requirements apply to even the smaller Licensees that may qualify for the limited exemptions described above.
A. Risk Assessment. The central requirement of the regulation, and the one that will require the most care and focus, is the risk assessment. The cybersecurity risk assessment must be completed prior to March 1, 2018, but should be commenced immediately in order to confirm the covered entity's adherence to most of the other requirements of the regulation and to make sure the risk assessment is completed on time. In order to comply with the regulation, the cybersecurity risk assessment must be documented and conducted in accordance with written policies and procedures that include criteria and requirements to (a) evaluate and categorize cybersecurity risks and threats facing the covered entity; (b) assess the confidentiality, integrity, security and availability of information systems and nonpublic information; and (c) mitigate and address identified risks. The risk assessment must be updated periodically to address changes in operations, technology, information, and the threat environment.
B. Cybersecurity Program. On or before August 28, 2017, each covered entity must develop a cybersecurity program based on the risk assessment and designed to protect the confidentiality, integrity, and availability of the covered entity's information systems. The cybersecurity program must perform the following core cybersecurity functions: (i) identification and assessment of internal and external cybersecurity risks that may threaten the security or integrity of the nonpublic information stored on the covered entity's information systems; (ii) use of defensive infrastructures; (iii) detection of actual or threatened intrusions; (iv) response to threatened or actual cybersecurity events (defined in Section E below); (v) recovery from cybersecurity events; and (vi) compliance with applicable regulatory reporting obligations.
C. Cybersecurity Policy. Each covered entity must adopt a written cybersecurity policy approved by senior officer or governing board of a covered entity setting forth the covered entity's policies and procedures for the protection of information systems and nonpublic information stored on such information systems, based on the required risk assessment. The cybersecurity policy must cover fourteen specified areas, including, for example, data governance and classification; business continuity and disaster recovery planning and resources; systems and network security and monitoring; customer data privacy; and incident response protocols.
D. Cybersecurity Personnel, Training, and Monitoring. The regulation imposes several requirements related to the personnel responsible for the covered entity's cybersecurity and to the cybersecurity awareness of all personnel. Each covered entity must designate a qualified individual as its Chief Information Security Officer. The CISO is responsible for overseeing and implementing the covered entity's cybersecurity program and enforcing its cybersecurity policy. At least once a year, the CISO must report in writing to the covered entity's governing board concerning the covered entity's cybersecurity program and material cybersecurity risks, as well as any material cybersecurity events during the period addressed by the report.
Other qualified cybersecurity personnel of the covered entity must manage the covered entity's cybersecurity risks and perform or oversee the performance of the core cybersecurity functions; all cybersecurity personnel of the covered entity must be engaged, trained, and updated on cybersecurity risks; key cybersecurity personnel of the covered entity must maintain their current knowledge generally of changing and evolving cybersecurity threats and countermeasures; and all personnel of a covered entity must have regular cybersecurity awareness training that is periodically updated to reflect risks identified during the covered entity's periodic risk assessment. The covered entity must also design and implement risk-based policies, procedures and controls to monitor the activity of its Authorized Users and detect unauthorized access to, use of, or tampering with nonpublic information by such authorized users.
E. Penetration Testing and Vulnerability Assessments. The cybersecurity program for each covered entity must include monitoring and testing of information systems for vulnerabilities and weaknesses. The covered entity must conduct a penetration test annually, and the covered entity must perform bi-annual vulnerability assessments.
F. Audit Trail. A covered entity must securely maintain an internal records system that, to the extent applicable and based on its risk assessment, (i) is designed to reconstruct material financial transactions sufficient to support normal operations and obligations of the covered entity, (ii) must maintain such records for not less than five years, and (iii) must provide adequate audit trails designed to detect and respond to cybersecurity events (which include unsuccessful attempts/attacks). These records must be retained for not less than three years.
G. Access Privileges. As part of its cybersecurity program, the covered entity must limit user access privileges to its information systems and must periodically review such access privileges.
H. Application Security. The covered entity's cybersecurity program must include written procedures, guidelines and standards designed to ensure the use of secure development practices for in-house developed computer software applications, and such procedures, guidelines and standards must be reviewed, assessed and updated periodically by the CISO or a qualified designee.
I. Third Party Service Provider Management. The regulation requires each covered entity to adopt and implement written policies and procedures to ensure the security of information systems and nonpublic information accessible to, or held by, third party service providers. The requirements for the management of third party service providers are extensive, and will require significant assessment, planning and execution in order to satisfy the various specific areas that must be addressed.
J. Multi-Factor Authentication. Each covered entity, based on its risk assessment, must design, develop and implement multi-factor authentication or risk-based authentication (as these terms are defined in the regulation) to protect against unauthorized access to nonpublic information or information systems. Multi-factor authentication must be utilized for any individual accessing the covered entity's internal networks from an external network, unless the CISO has approved in writing the use of a reasonably equivalent or more secure access control.
K. Data Retention and Destruction. As part of its cybersecurity program, each covered entity must develop and implement policies and procedures for the secure disposal of personal information no longer necessary for the business operations of the covered entity (except where such information is otherwise required by law or regulation to be retained).
L. Encryption. Based on its risk assessment, each covered entity must implement controls, including encryption, for nonpublic information held or transmitted by the covered entity, both in transit over external networks and at rest. To the extent that encryption of nonpublic information over external networks is determined to not be feasible, the covered entity may secure such nonpublic information using alternative compensating controls, reviewed and approved by the CISO, and those alternative compensating controls must be reviewed by the CISO at least annually. A covered entity that qualifies for the limited exemptions described above would not be subject to the encryption requirement, but these requirements are the minimum requirements, and encryption protocols should be actively considered by all covered entities, exempted or not from the encryption requirement.
M. Incident Response Plan. A written incident response plan must be established as a part of the covered entity's cybersecurity program to respond to and recover from any cybersecurity event materially affecting the confidentiality, integrity or availability of the covered entity's information systems or the continuing functionality of any aspect of the covered entity's business or operations.
N. Notices and Certifications to Superintendent of NYDFS; Confidentiality1. Cyber Event Notices. On and after August 28, 2017, a covered entity must provide notice to the Superintendent of Financial Services as promptly as possible but no later than 72 hours after a determination by the covered entity that a cybersecurity event has occurred where (i) notice is required from the covered entity to any governmental body, self-regulatory agency or other supervisory body, or (ii) the cybersecurity event has a reasonable likelihood of materially harming any material part of the covered entity's normal operations.
A cybersecurity event means "any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an information system or information stored on such information system." New York has other "breach notice" laws and regulations (see, e.g., NY General Business Laws 899-aa and New York Tech Law 208). The breach notice triggers under the regulation are not limited to, nor have they been harmonized with, other New York laws that may trigger regulatory or other breach notices.
2. Annual Certification of Compliance. A covered entity must submit to the Superintendent of Financial Services an annual compliance certification on a NYDFS required form by February 15 of each year beginning in 2018. All records, schedules and data supporting the certificate must be maintained by each covered entity and available for examination by the NYDFS for five years.
3. Confidentiality. All information provided by a covered entity to the NYDFS pursuant to the regulation is subject to the exemptions from disclosure under the New York Banking Law, Insurance Law, Financial Services Law, Public Officers Law, or any other applicable state of referral law.
Effective Date and Transition Periods
The regulation became effective March 1, 2017, but covered entities have until August 28, 2017, to comply with its requirements, subject to certain transition periods described below for some of the requirements. The following table indicates the compliance dates for the regulation's various specific requirements, together with three different transition periods for certain provisions of the regulation.
|Compliance Date||Regulation Section Reference|
|August 28, 2017|
|Cybersecurity Program||(§ 500.02)|
|Cybersecurity Policy||(§ 500.03)|
|Access Privileges||(§ 500.07)|
|Cybersecurity Personnel||(§ 500.10)|
|Incident Response Plan||(§ 500.16)|
|Notice of Cybersecurity Event||(§ 500.17(a))|
|September 27, 2017|
|Last Day for Filing for Limited Exemption||(§ 500.19(d))|
|February 15, 2018|
|Annual Compliance Certification||(§ 500.17(b))|
|March 1, 2018|
|CISO's annual report to the governing board||(§ 500.04(b))|
|Penetration Testing and Vulnerability Assessments||(§ 500.05)|
|Risk Assessment||(§ 500.09)|
|Multi-factor Authentication||(§ 500.12)|
|Cybersecurity Awareness Training for all Personnel||(§ 500.14(a)(2))|
|September 3, 2018|
|Audit Trail||(§ 500.06)|
|Application Security||(§ 500.08)|
|Data Retention Limits||(§ 500.13)|
|Monitoring and Detection of Activity of Authorized Users||(§ 500.14(a)(1)|
|March 1, 2019|
|Third Party Vendor Security||(§ 500.11)|
Immediate Actions That Covered Entities Should Take
Each covered entity should start now to inventory and begin the detailed review of its existing information systems, programs, policies, and procedures related to data and cybersecurity to determine what is needed to satisfy the new requirements by the compliance dates scheduled above. Virtually all licensees must take appropriate action to comply with these new requirements. This should be a "C" level executive initiative. The following project steps should be implemented by covered entities:
- Determine if the limited exemption for small businesses, or one of the other exemptions, applies, and, if so, file an Notice of Exemption on or before September 27, 2017.
- Identify and gather a cross-functional project team, consisting of internal decision makers, IT personnel, and internal and experienced external legal and regulatory compliance resources that will report to a "C" level executive in the organization.
- Identify internal shortcomings and any supplemental outside resources that will be required for various elements of the cybersecurity program, such as penetration testing.
- Catalogue all existing programs, policies, and procedures related to cybersecurity, information systems and nonpublic information maintained in electronic or other form.
- Assign project team members responsible for identifying, reviewing, evaluating and, as necessary, revising in coordination with the entire project team each existing program, policy, and procedure, to draft any new documentation, procedures, policies, recommendations and protocols needed to comply with the new requirements and to test cybersecurity enhancements for vulnerability and weaknesses.
- Prepare the timeline for deliverables and implementation procedures and implementation to achieve compliance by the effective dates in the Regulation.
- Catalogue and identify all third party service providers, conduct due diligence on existing and proposed third party service providers and their respective cybersecurity programs, evaluate all third party provider encryption protocols, and secure representations, warranties, covenants and indemnities from the third party service providers addressing their respective cybersecurity policies and procedures that relate to the security of the covered entity's information systems or nonpublic information.
- Examine all of the covered entity's insurance policies and obtain appropriate cyber insurance coverage.
Expectations of Future Activity
In response to the new NYDFS requirements, one can expect the development of private sector standards and legal and regulatory requirements of other states. With the federal government's new emphasis on cybersecurity and, among other things, hacking and hacking attempts of various private entity systems, despite a push by the new federal executive branch for fewer federal regulations, expect that this is one area where the federal government will become more involved. The National Association of Insurance Commissioners' Cybersecurity Working Group has been working on these issues since 2014, and released a revised draft model law last month that mirrors, in many respects, the New York regulation.
In New York, one can expect that with respect to covered entities' license renewals and new license applications, the NYDFS will demand more information about a covered entity's level of cybersecurity preparedness and risk mitigation, including compliance of its cybersecurity systems, policies and procedures with the requirements of the regulation. One can also expect that the NYDFS will levy heavy fines and penalties, particularly at the outset of the effectiveness of the regulation, if the NYDFS determines a licensee turned a blind eye towards the regulation and cybersecurity, if for no other reason than to send a loud and resounding message to the industry.
About the Authors:
Brian T. Casey is a partner in the Atlanta office of the international law firm Locke Lord LLP. As co-leader of Locke Lord's Regulatory and Transactional Insurance Practice Group, and a member of the firm's Corporate, Capital Markets and Health Care Practice Groups, Brian focuses on corporate, merger and acquisition, corporate and structured finance and other transactional, and regulatory matters for corporate clients in the insurance, financial services and health care industries.
One significant facet to Brian's practice is a focus on the service contracts industry across all types of covered products, including mobile phones, computers, homes, furniture and automobiles. His clients include insurance companies, insurance holding companies, managing general agents and insurance agencies, third party and claims administrators, banks and other financial institutions, investment banks and reinsurance companies.
Thomas D. Sherman is Of Counsel in the firm's Atlanta office. He has nearly 45 years of hands-on, results-oriented accomplishments in a wide variety of legal matters including mergers, acquisitions and joint ventures; SEC practice and compliance (Sarbanes-Oxley Act); commercial and employment law; equity and debt, public and private financings; general corporate law; litigation, including litigation management; and senior executive matters, including employment contracts, non-competition restrictions and severance agreements.