a new normal: the nydfs cybersecurity regulations …/media/files/insights/events/2017/03/nyd... ·...

DLA PIPER / BDO USA, LLP 0 Tuesday, March 7, 2017

A New Normal: The NYDFS

Cybersecurity Regulations and

the Insurance Industry

Presented by DLA Piper and BDO Consulting

Tuesday, March 7, 2017

If you cannot hear us speaking, please make sure you have called into the teleconference

number on your invite information.

US participants: 1 800 926 5085

Outside the US: 1 212 231 2913

The audio portion is available via conference call. It is not broadcast through your

computer. *This webinar is offered for informational purposes only, and the content should not be construed as legal advice

on any matter.


PRESENTERS

Jim Halpert

Co-Chair, US

Cybersecurity

Practice and Co-

Chair, Global Data

Protection, Privacy

and Security

Practice

DLA Piper [email protected]

m

202.799.4441

Judy Selby

National Lead,

Cyber Insurance &

Data Privacy

BDO Consulting [email protected]

203.905.6252

Mike Stiglianese

National Lead,

Technology &

Cybersecurity –

Financial Services

Industry

BDO Consulting [email protected]

212.817.1782

Rena Mears

Principal, Global

Data Protection,

Privacy, and

Security

DLA Piper rena.mears@dlapipe

r.com

415.836.2555

Carla Small

Of Counsel

Insurance Sector

DLA Piper carla.small@dlapiper.

com

212 335 4532

mailto:[email protected]










Why is the NYDFS Cyber Regulation a challenge?

Unique legal and sector considerations

Key Role of Risk Assessments

Coverage, scope and timeline implications

Where should you begin?

Q&A

AGENDA

1 Why is the NYDFS Cyber Regulation a Challenge?


Specific Cybersecurity program and policy presented to Board

Role of the CISO – expanded responsibility including enforcement

Role of senior management or the board – responsibility to review policy

and accountability to sign annual certifications

Reporting – internal reporting and annual certifications of compliance

Incident response and notices to Superintendent of cyber-event

Third-party risk management and policy – encryption, authentication req’d

Encryption or ongoing responsibility to consider compensating controls

Monitoring and 3-5 log retention

NYDFS CHALLENGES

Broad coverage for data risk, privacy, security and cybersecurity.

Responsibility and accountability concentrated on CISO, senior

management or board.


Identify internal/external cyber-

risks to NPI (Broadly defined) stored

on CE’s systems

- Sensitivity of the NPI

- How, and by whom, the NPI may be

accessed

Use defensive infrastructure and

implementation of policies and

procedures to protect covered

entity information systems and

NPI from unauthorized access

Detect, mitigate cyber-events

Recover from cyber-events,

restore normal operations and

services

Fulfill regulatory reporting

obligations (including notice within

72 hours of determining a breach)

Document program to demonstrate

compliance

NYDFS REQUIREMENTS—PROGRAM

Establish and maintain a cybersecurity program designed to

ensure confidentiality and integrity of covered entity information


Information security

Data governance and classification

Access controls and identity

management

Business continuity and DR

Capacity and performance planning

Systems operations and availability

Systems and network security

Systems and network monitoring

Systems and application

development and quality assurance

Physical security and

environmental controls

Customer data privacy

Vendor and third-party service

provider management

Risk assurance

Incident response

NYDFS REQUIREMENTS—POLICY

Implement & maintain written cybersecurity policy describing

your policies and procedures to protect information systems and

NPI stored on them

Policy must be approved by senior officer or the board


1. Designate qualified CISO to oversee/

implement cyber program and policy

2. Develop annual report for board and

equivalent governing body

3. Report available to NYDFS supervisor upon

request

4. Annually review, assess and update

application security procedures, guidelines

and standards (internal/ external developed

applications)

5. Review and approve encryption alternative

compensating controls

6. If using third-party service provider, must

retain responsibility and designate senior

member to provide oversight

Assess confidentiality, integrity and

availability of information systems

Identify material cyber-risks

Assess effectiveness of program

Propose steps to remediate

inadequacies identified

Include material cybersecurity events

involving covered entity during period

addressed in report

NYDFS REQUIREMENTS—CISO

REPORT

2 Unique Legal and Sector Considerations


Overlapping and layers of federal and state regulation

HIPPA, HITECH, GLB, “nonpublic information” definition issue

Alternative/conflicting data protection requirements

No other state has adopted insurance-specific cybersecurity regulation

NAIC has been working on this for 2 years

NYDFS is the first mover

Insurance not classified as Critical Infrastructure under FFIEC

For the first time subject to requirements at stringent side of NIST

Framework

Unique Information Structure characteristics of the insurance industry

Fundamental information sharing business realities of insurance

companies that need to be accommodated

INSURANCE REGULATORY CONSIDERATIONS


Diverse product distribution systems

Agents, brokers and residual market entities with separate and

independent “information systems”

Some lines have many small sales intermediaries and third party vendors

Difficult scaling cybersecurity and third party management across these

networks

Wide sharing of NPI across complex landscape of re-insurance pooling,

syndicated coverage, guaranty funds

Difficulty driving security terms across diverse landscape of entities that

receive NPI

INSURANCE SECTOR CONSIDERATIONS


NOTIFICATIONS AND CERTIFICATIONS

Notify Superintendent Annual Report

Required within 72 hours of

determining that cyber event occurred

Where government or self-regulatory

agency is notified or

That has a reasonable likelihood of

materially harming the normal

operations of the CE

Notification required as promptly as

possible, but no later than 72 hours

after determining cyber-event occurred

Submit report to Superintendent by

Feb 15 attesting to compliance with

requirements, signed by Chair of Board

or senior officer to best of knowledge

Retain supporting records, schedules

for 5 years

Material improvements required for

areas, systems, etc. Document

identification and remedial efforts and

retain for examination

Be available for inspection


Security assessments are a top

request of State AG, plaintiff’s lawyer

discovery

In defendant’s own words, does

this work for them?

Protecting reviews with attorney-

client privilege can avoid this

discovery; however:

Cannot prevent NYDFS from

obtaining documentation and

must provide certifications

ATTORNEY-CLIENT PRIVILEGE

Request confidential treatment of

all submissions to NYDFS

If you might be a target, consider

commissioning privileged, more

detailed versions of assessments,

and a shorter less colorful version

for inspection

Consider increasing your cyber-

insurance coverage

3 Based upon Risk


The Final Rule requires periodic Risk Assessments that tie key elements of a

Covered Entity’s cybersecurity program to its own assessment of risk.

The risk assessment is meant to be a sustainable process that provides the

foundation for the design and implementation of a compliant cybersecurity program

that effectively addresses the risk landscape of the Covered Entity.

The risk assessment is expected to be:

Sufficient to inform the design of the cybersecurity program

Updated to address changes to the Covered Entity’s Information Systems, NPI,

business operations

Allow for revisions of controls to respond to changes in technology, threat

landscape, business operations, NPI, systems and effectiveness of controls

The risk assessment is:

Consistent with other guidance (NACD Handbook, NIST)

Identifies and provides a mechanism to focus on the sweeping definition of NPI

assets at risk within the Covered Entity

A RISK-BASED APPROACH


The risk assessment is a documented

process based on established policies and

procedures that includes:

Criteria for evaluating and categorizing

identified cybersecurity risks and threats

Criteria for assessing the confidentiality,

integrity, security and availability of the

CE’s Information Systems and NPI

Criteria for evaluating the adequacy of the

existing controls with the context of

identified risks

Requirements for determining how the

identified risks will be mitigated or accepted

Determine how the cybersecurity program

will address the risks (e.g. third party,

authentication, access, training, encryption

etc.)

A RISK ASSESSMENT

A Risk Assessment is defined as:

A prioritization of potential

business disruptions based on

severity and likelihood of

occurrence… includes:

– Analysis of threats based on

impact to the institution, its

customers, and financial

markets, rather than the

nature of the threat *

It is an assessment of risk within

the context of the business and

its cybersecurity threat

landscape

It is NOT a cost-benefit analysis

* Definition adapted from FFIEC

4 Coverage, Scope and Timeline Implications


COVERED ENTITIES

Banks and trust companies

Budget planners

Charitable foundations

Check cashers

Credit unions

Domestic representative

offices

Foreign agencies

Foreign bank branches

Foreign representative offices

Fraternal Benefit Societies

Health insurers, accident and

related entities

Holding companies

Investment companies

Licensed lenders

Life insurance companies

Money transmitters

Mortgage bankers

Mortgage brokers

Mortgage loan originators

Mortgage loan servicers

New York state regulated

corporations

Premium finance agencies

Private bankers

Property and casualty

insurance companies

Safe deposit companies

Sales finance companies

Savings banks and savings

and loan associations

(S&Ls)

Service contract providers

Person operating under or required to operate under a license, registration,

charter, certificate, permit, accreditation or similar authorization under the

banking law, the insurance law or the financial services law.


PARTIAL EXEMPTIONS

Complete Exemption

Non-NY risk retention

groups

Charitable annuity

societies

Accredited reinsurer or

certified reinsurer

Establish Eligibility for

Limited Exemptions

File notice of exemption

within 30 days of

determination that the

covered entity is exempt

If covered entity as of

most recent fiscal year

end ceases to qualify for

exemption - 180 days

from fiscal year end to

comply with all applicable

requirements

Exemption criteria is applied to covered entity and its affiliates.

Limited Exemptions

No Information System

or access to NPI

Captives under Article 70

of the Insurance Law

Small Business

Fewer than 10

employees, including

any independent

contractors or

Less than $5 million in

gross annual revenue in

each of the past 3 years

Less than $10 million in

year-end total assets


Covered entities must implement written policies and procedures to ensure security of

information accessible to, or held by, third parties with whom they do business

Policies and procedures address

– Identification and risk assessment

– Minimum cybersecurity practices

– Due diligence processes used to evaluate adequacy of cybersecurity practices of

third parties of the third party

– Periodic risk assessment

Establish preferred provisions to be included in contract (if applicable)

– Use multi-factor authentication (limit remote access to sensitive systems & NPI)

– Use encryption or compensating control to protect NPI in transit and at rest

– Prompt notice to provided to CE in event of cyber-event that results from third party’s

negligence or willful misconduct

– Rep and warrant from third party that service party is free from viruses, etc.

– Right of CE or its agents to perform cybersecurity audits

THIRD-PARTY PROVIDERS


Agents may fit within small business

category

– Fewer than 10 employees or

contractors in NY or responsible for

the business

– Less than $5 million in annual

revenue over past 3 years or

– Less than $10 million in assets for

company and all affiliates as of year

end

Not a get of jail free card

– Must conduct risk assessment,

secure disposal of NPI and have

third-party risk management policy

and program

Bring under the tent: Agents can be

subject to and follow all aspects of the

Covered Entity’s security program and

policy

– Do they have reputational risk already?

– Some greater risk of vicarious liability if

there are deficiencies in the policy or

program

THIRD-PARTY PROVIDERS—AGENT STRATEGY

OR


NYDFS IMPLEMENTATION TIMELINE

Basic program elements

Complex cyber requirements

Additional complex

requirements

Various sections of regulation become effective over 2-year time period

Third-Party Service Provider

Security Policy (500.11)

Annual Certification of

Compliance (500.21)

2019

2018 2017

5 Where Should You Begin?


Understand current state of

existing program

If not, a current state assessment

should be performed immediately

Current state assessment used as

basis of gap analysis against

NYDFS regulation requirements

Expect gaps in all programs,

regardless of maturity level

Identified gaps become basis of a

detailed remediation plan

UNDERSTAND CURRENT STATE

Establish

Current State

Gap Identification

and Verification Remediation

Option Analysis

$

Leverage BDO

NYDFS Self

Assessment

Tool

Identify

remediation

options for

each

identified gap

Phase I Phase I Phase II Phase II Phase III Phase III

BDO Provides

Technical and

Content

Support

Define

Current State

Baseline Prepare a

strategic

actionable

remediation

plan

Define target

state against

the NYDFS

requirements

and Risk

Assessment

Identify and

verify each

gap against

compliant

target


§ 500.04 Chief Information Security

Officer

Expanded CISO role

§ 500.05 Penetration testing and

vulnerability assessments

Prescriptive timing requirements

§ 500.06 Audit trail

Log retention periods

§ 500.08 Application security

Written program and procedures,

process for review by CISO or

designee

POSSIBLE GAPS FOR MATURE PROGRAMS

§ 500.11 Third-party service provider

security policy

Access controls, encryption and

multi-factor authentication

§ 500.13 Limitations on data retention

Define disposal requirements

§ 500.15 Encryption of nonpublic

information

Annual review of compensating

controls

§ 500.17 Notices to Superintendent

Process and definition for

determination of an incident


§ 500.07 - Access privileges

§ 500.09 - Risk assessment

§ 500.10 - Cybersecurity personnel and intelligence

§ 500.12 - Multi-factor authentication

§ 500.14 - Training and monitoring

§ 500.16 - Incident response plan

POSSIBLE GAPS—INTERMEDIATE AND STARTUP

If your program is intermediate, maturity or startup, look for gaps

against these requirements

Intermediate programs typically have problems in one or more of the

above areas. They NYDFS requirements are more restrictive than most

existing guidelines or frameworks.


§ 500.02 - Cybersecurity program

§ 500.03 - Cybersecurity policy

EXPECTED GAPS—STARTUP PROGRAMS

Startup programs identify gaps against remaining provisions of the

regulation

As discussed earlier, the program and policies required under the NYDFS

regulation are quite descriptive. Since these are areas that are typically

under development in startup programs, they need increased focus.


KEY CONCEPTS

NYDFS cyber regulation has unusually broad coverage (both

entities and NPI)

Governance Challenges -- expanded CISO responsibilities,

senior executive signing annual certification

Short ramp up and breach notice requirements

Specific requirements that will likely require adjustments even

to most mature cybersecurity programs

6 Question and Answers


Questions?

Contact us to learn more

Jim Halpert

Co-Chair, US

Cybersecurity Practice

and Co-Chair, Global

Data Protection, Privacy

and Security Practice

DLA Piper

[email protected]

m

202.799.4441

Judy Selby

National Lead, Cyber

Insurance & Data

Privacy

BDO Consulting

[email protected]

203.905.6252

Mike Stiglianese

National Lead,

Technology &

Cybersecurity –

Financial Services

Industry

BDO Consulting

[email protected]

212.817.1782

Rena Mears

Principal, Global

Data Protection,

Privacy, and Security

DLA Piper

rena.mears@dlapipe

r.com

415.836.2555

Carla Small

Of Counsel

Insurance Sector

DLA Piper

carla.small@dlapiper.

com

212 335 4532










a new normal: the nydfs cybersecurity regulations …/media/files/insights/events/2017/03/nyd... ·...

Documents