With about a month to go until the first set of NYDFS’s cybersecurity rules go into effect (on August 28, 2017), we are proud to announce the formal launch of the Davis Polk Cyber Blog. The blog will help you keep pace with industry best practices and be aware of your company’s cybersecurity obligations, including those relating to the NYDFS rules. Aside from posts about developments in cybersecurity, the blog includes information about our Data Breach Notification Resource Portal. This Portal allows clients to quickly assess their cyber breach notification obligations under all 48-state law regimes, as well as various federal notification statutes, by answering a series of questions. A video demonstration of our Portal, which is currently in beta testing, is available upon request.
The NYDFS cybersecurity rules taking effect is a significant event for NYDFS-regulated entities, and for any company facing cybersecurity concerns. The unique combination of (1) concrete cybersecurity requirements (e.g., access controls), (2) a senior-level certification obligation, and (3) the 72-hour notice requirement, will likely have a lasting impact on cybersecurity regulations and expectations in general. Covered companies have one month left to have the following measures in place:
- Designate a Chief Information Security Officer (“CISO”);
- Implement the required elements of a cybersecurity program, cybersecurity policies, and an incident response plan;
- Regulate access privileges for information systems;
- Ensure that required cybersecurity personnel are in place; and
- Be prepared to notify the NYDFS within 72 hours of certain cybersecurity events.
The rules also require that companies conduct a risk assessment, but that deadline (along with the deadline for the CISO report to the Board, training, penetration testing, and multifactor authentication) is not until March 1, 2018. However, because of the express connections between the risk assessment and many of the obligations set forth in the rules (most recently, the notice requirement, as reflected in the updated NYDFS FAQ described in our recent blog post) many companies are aiming to conduct their risk assessment early, so that it can be factored into the certification process that must be completed by February 15, 2018.
The cybersecurity events that trigger the 72-hour notice requirement include those that:
- Require notice to be provided to any other government body, self-regulatory agency, or supervisory body; or
- Create a reasonable likelihood of materially harming any part of the normal operation of your company.
Beyond those NYDFS-regulated entities that are directly subject to the rules, thousands of vendors of those firms will be required to comply with the rules because the companies that they serve are obligated to impose the requirements on their vendors.
More broadly, as discussed in our recent Webcast about NYDFS cyber compliance last month, the rules may become considered as industry best practices for cybersecurity. As a result, many companies that are not subject to the rules will, for a variety of reasons, want to be able to say that they meet the NYDFS requirements.
For more details on issues regarding these obligations, please visit the Cyber Blog.