Money Transmitters Face New Requirements under Proposed New York Cybersecurity Rule
By Erica Brennan & Meagan E. Griffin
On September 13, 2016, the New York State Department of Financial Services (the “DFS”) issued a proposed rule implementing cybersecurity requirements for financial services companies in New York.
Requirement for a Cybersecurity Program and Policy
The proposed rule requires covered entities to establish and maintain a cybersecurity program “designed to ensure the confidentiality, integrity and availability” of the entity’s information systems by performing the following core cybersecurity functions: (i) identification of cybersecurity risks; (ii) implementation of policies and procedures to protect against unauthorized access or use or other malicious attacks; (iii) detection of cybersecurity events, which are defined as any act or attempt to gain unauthorized access to, disrupt, or misuse an entity’s information systems;
Further, each covered entity is required to implement and maintain a written cybersecurity policy setting forth policies and procedures for the protection of its information systems and non-public information, which is defined to include both confidential business information, the disclosure of which would materially harm the business, and certain personal information about an individual.
Requirement for a Chief Information Security Officer
Under the proposed rule, each covered entity is required to designate a qualified individual to serve as the Chief Information Security Officer (“CISO”) responsible for overseeing and implementing the entity’s cybersecurity program and enforcing its cybersecurity policy.
Special Requirements for Third-party Service Providers
The proposed rule also requires covered entities to implement policies and procedures designed to ensure the security of information systems and non-public information that are accessible to, or held by, third-party service providers. At a minimum, these policies and procedures must identify third parties with access to information systems or non-public information, and include a risk assessment of the same; set forth minimum cybersecurity practices required to be met by such third parties; and address the due diligence processes used to evaluate the adequacy of cybersecurity practices of such third parties.
Additionally, covered entities must ensure that provisions addressing specific cybersecurity concerns, as set forth in the proposed rule, are included in all agreements with third-party service providers.
Encryption Required for All Non-public Information Held or Transmitted
As part of its cybersecurity program, each covered entity must encrypt all non-public information (which is defined to include confidential business information, the disclosure of which would materially harm the business, as well as certain personal information about an individual)
Additional Requirements under the Proposed Rule
In addition to the above provisions, each cybersecurity program must provide for the following:
Annual penetration testing and vulnerability assessments;
Implementation and maintenance of an audit trail system to reconstruct transactions and log access privileges;
Limitations and periodic reviews of access privileges;
Written application security procedures, guidelines, and standards that are reviewed and updated by the CISO at least annually;
An annual risk assessment of the covered entity’s information systems;
Employment and training of cybersecurity personnel, though non-employee third parties may be used in this role, pursuant to the same conditions noted above for use of a third-party CISO;
Multi-factor authentication for individuals accessing internal systems remotely, or who have privileged access;
Timely destruction of non-public information that is no longer necessary, except where required by law;
Monitoring of authorized users and cybersecurity training for all personnel;and
A written incident response plan.
Each covered entity is also required to provide certain notices to the Superintendent of Financial Services, including reports following cybersecurity events (defined as any act or attempt to gain unauthorized access to, disrupt, or misuse an entity’s information systems)
Limited Exemption Based on Volume
The proposed rule includes a limited exemption for covered entities that meet all of the following requirements: (i) fewer than 1000 customers in each of the last three years; (ii) less than $5,000,000 in gross annual revenue in each of the last three years; and (iii) less than $10,000,000 in year-end total assets, including assets of all affiliates. Such entities are exempt from certain provisions of the proposed rule, but must still implement a cybersecurity program and written policies, among other requirements.
The proposed rule was published in the New York state register on September 28, 2016; there is a 45-day public comment period. If adopted, the rule will become effective January 1, 2017. Covered entities, including money transmitters licensed in New York, should review their existing cybersecurity programs to ensure compliance with the proposed rule, or prioritize adopting a compliant cybersecurity program ahead of the rule’s effective date.
It is important to note that, in the event a licensed money transmitter appoints a CISO, certain states may consider that individual to be a control person under the state money transmission statutes. Such a determination would require the CISO to provide his or her biographical and/or financial information to the state for vetting and background check, usually within a relatively short time period following the appointment, or, in the case of at least one state, ahead of the appointment. To that end, it may make sense for licensed money transmitters who are considering appointing a CISO to contact the state banking departments and seek a determination of whether a CISO would be considered a control person under each state’s provisions. Please contact us if you would like to discuss these issues further.