a new normal: the nydfs cybersecurity regulations …/media/files/insights/events/2017/03/nyd... ·...
TRANSCRIPT
DLA PIPER / BDO USA, LLP 0 Tuesday, March 7, 2017
A New Normal: The NYDFS
Cybersecurity Regulations and
the Insurance Industry
Presented by DLA Piper and BDO Consulting
Tuesday, March 7, 2017
If you cannot hear us speaking, please make sure you have called into the teleconference
number on your invite information.
US participants: 1 800 926 5085
Outside the US: 1 212 231 2913
The audio portion is available via conference call. It is not broadcast through your
computer. *This webinar is offered for informational purposes only, and the content should not be construed as legal advice
on any matter.
DLA PIPER / BDO USA, LLP 1 Tuesday, March 7, 2017
PRESENTERS
Jim Halpert
Co-Chair, US
Cybersecurity
Practice and Co-
Chair, Global Data
Protection, Privacy
and Security
Practice
DLA Piper [email protected]
m
202.799.4441
Judy Selby
National Lead,
Cyber Insurance &
Data Privacy
BDO Consulting [email protected]
203.905.6252
Mike Stiglianese
National Lead,
Technology &
Cybersecurity –
Financial Services
Industry
BDO Consulting [email protected]
212.817.1782
Rena Mears
Principal, Global
Data Protection,
Privacy, and
Security
DLA Piper rena.mears@dlapipe
r.com
415.836.2555
Carla Small
Of Counsel
Insurance Sector
DLA Piper carla.small@dlapiper.
com
212 335 4532
DLA PIPER / BDO USA, LLP 2 Tuesday, March 7, 2017
Why is the NYDFS Cyber Regulation a challenge?
Unique legal and sector considerations
Key Role of Risk Assessments
Coverage, scope and timeline implications
Where should you begin?
Q&A
AGENDA
1 Why is the NYDFS Cyber Regulation a Challenge?
DLA PIPER / BDO USA, LLP 4 Tuesday, March 7, 2017
Specific Cybersecurity program and policy presented to Board
Role of the CISO – expanded responsibility including enforcement
Role of senior management or the board – responsibility to review policy
and accountability to sign annual certifications
Reporting – internal reporting and annual certifications of compliance
Incident response and notices to Superintendent of cyber-event
Third-party risk management and policy – encryption, authentication req’d
Encryption or ongoing responsibility to consider compensating controls
Monitoring and 3-5 log retention
NYDFS CHALLENGES
Broad coverage for data risk, privacy, security and cybersecurity.
Responsibility and accountability concentrated on CISO, senior
management or board.
DLA PIPER / BDO USA, LLP 5 Tuesday, March 7, 2017
Identify internal/external cyber-
risks to NPI (Broadly defined) stored
on CE’s systems
- Sensitivity of the NPI
- How, and by whom, the NPI may be
accessed
Use defensive infrastructure and
implementation of policies and
procedures to protect covered
entity information systems and
NPI from unauthorized access
Detect, mitigate cyber-events
Recover from cyber-events,
restore normal operations and
services
Fulfill regulatory reporting
obligations (including notice within
72 hours of determining a breach)
Document program to demonstrate
compliance
NYDFS REQUIREMENTS—PROGRAM
Establish and maintain a cybersecurity program designed to
ensure confidentiality and integrity of covered entity information
DLA PIPER / BDO USA, LLP 6 Tuesday, March 7, 2017
Information security
Data governance and classification
Access controls and identity
management
Business continuity and DR
Capacity and performance planning
Systems operations and availability
Systems and network security
Systems and network monitoring
Systems and application
development and quality assurance
Physical security and
environmental controls
Customer data privacy
Vendor and third-party service
provider management
Risk assurance
Incident response
NYDFS REQUIREMENTS—POLICY
Implement & maintain written cybersecurity policy describing
your policies and procedures to protect information systems and
NPI stored on them
Policy must be approved by senior officer or the board
DLA PIPER / BDO USA, LLP 7 Tuesday, March 7, 2017
1. Designate qualified CISO to oversee/
implement cyber program and policy
2. Develop annual report for board and
equivalent governing body
3. Report available to NYDFS supervisor upon
request
4. Annually review, assess and update
application security procedures, guidelines
and standards (internal/ external developed
applications)
5. Review and approve encryption alternative
compensating controls
6. If using third-party service provider, must
retain responsibility and designate senior
member to provide oversight
Assess confidentiality, integrity and
availability of information systems
Identify material cyber-risks
Assess effectiveness of program
Propose steps to remediate
inadequacies identified
Include material cybersecurity events
involving covered entity during period
addressed in report
NYDFS REQUIREMENTS—CISO
REPORT
2 Unique Legal and Sector Considerations
DLA PIPER / BDO USA, LLP 9 Tuesday, March 7, 2017
Overlapping and layers of federal and state regulation
HIPPA, HITECH, GLB, “nonpublic information” definition issue
Alternative/conflicting data protection requirements
No other state has adopted insurance-specific cybersecurity regulation
NAIC has been working on this for 2 years
NYDFS is the first mover
Insurance not classified as Critical Infrastructure under FFIEC
For the first time subject to requirements at stringent side of NIST
Framework
Unique Information Structure characteristics of the insurance industry
Fundamental information sharing business realities of insurance
companies that need to be accommodated
INSURANCE REGULATORY CONSIDERATIONS
DLA PIPER / BDO USA, LLP 10 Tuesday, March 7, 2017
Diverse product distribution systems
Agents, brokers and residual market entities with separate and
independent “information systems”
Some lines have many small sales intermediaries and third party vendors
Difficult scaling cybersecurity and third party management across these
networks
Wide sharing of NPI across complex landscape of re-insurance pooling,
syndicated coverage, guaranty funds
Difficulty driving security terms across diverse landscape of entities that
receive NPI
INSURANCE SECTOR CONSIDERATIONS
DLA PIPER / BDO USA, LLP 11 Tuesday, March 7, 2017
NOTIFICATIONS AND CERTIFICATIONS
Notify Superintendent Annual Report
Required within 72 hours of
determining that cyber event occurred
Where government or self-regulatory
agency is notified or
That has a reasonable likelihood of
materially harming the normal
operations of the CE
Notification required as promptly as
possible, but no later than 72 hours
after determining cyber-event occurred
Submit report to Superintendent by
Feb 15 attesting to compliance with
requirements, signed by Chair of Board
or senior officer to best of knowledge
Retain supporting records, schedules
for 5 years
Material improvements required for
areas, systems, etc. Document
identification and remedial efforts and
retain for examination
Be available for inspection
DLA PIPER / BDO USA, LLP 12 Tuesday, March 7, 2017
Security assessments are a top
request of State AG, plaintiff’s lawyer
discovery
In defendant’s own words, does
this work for them?
Protecting reviews with attorney-
client privilege can avoid this
discovery; however:
Cannot prevent NYDFS from
obtaining documentation and
must provide certifications
ATTORNEY-CLIENT PRIVILEGE
Request confidential treatment of
all submissions to NYDFS
If you might be a target, consider
commissioning privileged, more
detailed versions of assessments,
and a shorter less colorful version
for inspection
Consider increasing your cyber-
insurance coverage
3 Based upon Risk
DLA PIPER / BDO USA, LLP 14 Tuesday, March 7, 2017
The Final Rule requires periodic Risk Assessments that tie key elements of a
Covered Entity’s cybersecurity program to its own assessment of risk.
The risk assessment is meant to be a sustainable process that provides the
foundation for the design and implementation of a compliant cybersecurity program
that effectively addresses the risk landscape of the Covered Entity.
The risk assessment is expected to be:
Sufficient to inform the design of the cybersecurity program
Updated to address changes to the Covered Entity’s Information Systems, NPI,
business operations
Allow for revisions of controls to respond to changes in technology, threat
landscape, business operations, NPI, systems and effectiveness of controls
The risk assessment is:
Consistent with other guidance (NACD Handbook, NIST)
Identifies and provides a mechanism to focus on the sweeping definition of NPI
assets at risk within the Covered Entity
A RISK-BASED APPROACH
DLA PIPER / BDO USA, LLP 15 Tuesday, March 7, 2017
The risk assessment is a documented
process based on established policies and
procedures that includes:
Criteria for evaluating and categorizing
identified cybersecurity risks and threats
Criteria for assessing the confidentiality,
integrity, security and availability of the
CE’s Information Systems and NPI
Criteria for evaluating the adequacy of the
existing controls with the context of
identified risks
Requirements for determining how the
identified risks will be mitigated or accepted
Determine how the cybersecurity program
will address the risks (e.g. third party,
authentication, access, training, encryption
etc.)
A RISK ASSESSMENT
A Risk Assessment is defined as:
A prioritization of potential
business disruptions based on
severity and likelihood of
occurrence… includes:
– Analysis of threats based on
impact to the institution, its
customers, and financial
markets, rather than the
nature of the threat *
It is an assessment of risk within
the context of the business and
its cybersecurity threat
landscape
It is NOT a cost-benefit analysis
* Definition adapted from FFIEC
4 Coverage, Scope and Timeline Implications
DLA PIPER / BDO USA, LLP 17 Tuesday, March 7, 2017
COVERED ENTITIES
Banks and trust companies
Budget planners
Charitable foundations
Check cashers
Credit unions
Domestic representative
offices
Foreign agencies
Foreign bank branches
Foreign representative offices
Fraternal Benefit Societies
Health insurers, accident and
related entities
Holding companies
Investment companies
Licensed lenders
Life insurance companies
Money transmitters
Mortgage bankers
Mortgage brokers
Mortgage loan originators
Mortgage loan servicers
New York state regulated
corporations
Premium finance agencies
Private bankers
Property and casualty
insurance companies
Safe deposit companies
Sales finance companies
Savings banks and savings
and loan associations
(S&Ls)
Service contract providers
Person operating under or required to operate under a license, registration,
charter, certificate, permit, accreditation or similar authorization under the
banking law, the insurance law or the financial services law.
DLA PIPER / BDO USA, LLP 18 Tuesday, March 7, 2017
PARTIAL EXEMPTIONS
Complete Exemption
Non-NY risk retention
groups
Charitable annuity
societies
Accredited reinsurer or
certified reinsurer
Establish Eligibility for
Limited Exemptions
File notice of exemption
within 30 days of
determination that the
covered entity is exempt
If covered entity as of
most recent fiscal year
end ceases to qualify for
exemption - 180 days
from fiscal year end to
comply with all applicable
requirements
Exemption criteria is applied to covered entity and its affiliates.
Limited Exemptions
No Information System
or access to NPI
Captives under Article 70
of the Insurance Law
Small Business
Fewer than 10
employees, including
any independent
contractors or
Less than $5 million in
gross annual revenue in
each of the past 3 years
Less than $10 million in
year-end total assets
DLA PIPER / BDO USA, LLP 19 Tuesday, March 7, 2017
Covered entities must implement written policies and procedures to ensure security of
information accessible to, or held by, third parties with whom they do business
Policies and procedures address
– Identification and risk assessment
– Minimum cybersecurity practices
– Due diligence processes used to evaluate adequacy of cybersecurity practices of
third parties of the third party
– Periodic risk assessment
Establish preferred provisions to be included in contract (if applicable)
– Use multi-factor authentication (limit remote access to sensitive systems & NPI)
– Use encryption or compensating control to protect NPI in transit and at rest
– Prompt notice to provided to CE in event of cyber-event that results from third party’s
negligence or willful misconduct
– Rep and warrant from third party that service party is free from viruses, etc.
– Right of CE or its agents to perform cybersecurity audits
THIRD-PARTY PROVIDERS
DLA PIPER / BDO USA, LLP 20 Tuesday, March 7, 2017
Agents may fit within small business
category
– Fewer than 10 employees or
contractors in NY or responsible for
the business
– Less than $5 million in annual
revenue over past 3 years or
– Less than $10 million in assets for
company and all affiliates as of year
end
Not a get of jail free card
– Must conduct risk assessment,
secure disposal of NPI and have
third-party risk management policy
and program
Bring under the tent: Agents can be
subject to and follow all aspects of the
Covered Entity’s security program and
policy
– Do they have reputational risk already?
– Some greater risk of vicarious liability if
there are deficiencies in the policy or
program
THIRD-PARTY PROVIDERS—AGENT STRATEGY
OR
DLA PIPER / BDO USA, LLP 21 Tuesday, March 7, 2017
NYDFS IMPLEMENTATION TIMELINE
Basic program elements
Complex cyber requirements
Additional complex
requirements
Various sections of regulation become effective over 2-year time period
Third-Party Service Provider
Security Policy (500.11)
Annual Certification of
Compliance (500.21)
2019
2018 2017
5 Where Should You Begin?
DLA PIPER / BDO USA, LLP 23 Tuesday, March 7, 2017
Understand current state of
existing program
If not, a current state assessment
should be performed immediately
Current state assessment used as
basis of gap analysis against
NYDFS regulation requirements
Expect gaps in all programs,
regardless of maturity level
Identified gaps become basis of a
detailed remediation plan
UNDERSTAND CURRENT STATE
Establish
Current State
Gap Identification
and Verification Remediation
Option Analysis
$
Leverage BDO
NYDFS Self
Assessment
Tool
Identify
remediation
options for
each
identified gap
Phase I Phase I Phase II Phase II Phase III Phase III
BDO Provides
Technical and
Content
Support
Define
Current State
Baseline Prepare a
strategic
actionable
remediation
plan
Define target
state against
the NYDFS
requirements
and Risk
Assessment
Identify and
verify each
gap against
compliant
target
DLA PIPER / BDO USA, LLP 24 Tuesday, March 7, 2017
§ 500.04 Chief Information Security
Officer
Expanded CISO role
§ 500.05 Penetration testing and
vulnerability assessments
Prescriptive timing requirements
§ 500.06 Audit trail
Log retention periods
§ 500.08 Application security
Written program and procedures,
process for review by CISO or
designee
POSSIBLE GAPS FOR MATURE PROGRAMS
§ 500.11 Third-party service provider
security policy
Access controls, encryption and
multi-factor authentication
§ 500.13 Limitations on data retention
Define disposal requirements
§ 500.15 Encryption of nonpublic
information
Annual review of compensating
controls
§ 500.17 Notices to Superintendent
Process and definition for
determination of an incident
DLA PIPER / BDO USA, LLP 25 Tuesday, March 7, 2017
§ 500.07 - Access privileges
§ 500.09 - Risk assessment
§ 500.10 - Cybersecurity personnel and intelligence
§ 500.12 - Multi-factor authentication
§ 500.14 - Training and monitoring
§ 500.16 - Incident response plan
POSSIBLE GAPS—INTERMEDIATE AND STARTUP
If your program is intermediate, maturity or startup, look for gaps
against these requirements
Intermediate programs typically have problems in one or more of the
above areas. They NYDFS requirements are more restrictive than most
existing guidelines or frameworks.
DLA PIPER / BDO USA, LLP 26 Tuesday, March 7, 2017
§ 500.02 - Cybersecurity program
§ 500.03 - Cybersecurity policy
EXPECTED GAPS—STARTUP PROGRAMS
Startup programs identify gaps against remaining provisions of the
regulation
As discussed earlier, the program and policies required under the NYDFS
regulation are quite descriptive. Since these are areas that are typically
under development in startup programs, they need increased focus.
DLA PIPER / BDO USA, LLP 27 Tuesday, March 7, 2017
KEY CONCEPTS
NYDFS cyber regulation has unusually broad coverage (both
entities and NPI)
Governance Challenges -- expanded CISO responsibilities,
senior executive signing annual certification
Short ramp up and breach notice requirements
Specific requirements that will likely require adjustments even
to most mature cybersecurity programs
6 Question and Answers
DLA PIPER / BDO USA, LLP 29 Tuesday, March 7, 2017
Questions?
Contact us to learn more
Jim Halpert
Co-Chair, US
Cybersecurity Practice
and Co-Chair, Global
Data Protection, Privacy
and Security Practice
DLA Piper
m
202.799.4441
Judy Selby
National Lead, Cyber
Insurance & Data
Privacy
BDO Consulting
203.905.6252
Mike Stiglianese
National Lead,
Technology &
Cybersecurity –
Financial Services
Industry
BDO Consulting
212.817.1782
Rena Mears
Principal, Global
Data Protection,
Privacy, and Security
DLA Piper
rena.mears@dlapipe
r.com
415.836.2555
Carla Small
Of Counsel
Insurance Sector
DLA Piper
carla.small@dlapiper.
com
212 335 4532