New Cybersecurity Regulations May Apply to Companies that do Business with NYS Chartered Or Licensed Banks, Mortgage Bankers, Insurance Companies and Others
As we reported on March 6, 2017, the NYS Department of Financial Services (DFS) issued detailed new Cybersecurity regulations for certain “Covered Entities” (defined below) that operate under DFS jurisdiction, including certain banks, insurance companies, and other “financial services” providers. However, the new regulations will reach beyond just these covered entities because they also contain requirements that will impact those businesses that work with the Covered Entities and have access to private information about Covered Entities’ borrowers, customers, or other persons.
For example, these regulations may apply to a wide range of businesses that provide services to, or receive/process confidential customer data from, banks, insurance companies, charitable foundations, mortgage bankers, and insurance brokers. The list of potentially affected “third party service providers” could include law firms, accounting firms, IT service providers, federally chartered institutions providing correspondent banking services, non-NY licensed loan servicers and non-NY licensed persons and companies providing services to insurance companies or brokers, and, in certain circumstances, could possibly extend to manufacturing businesses, staffing agencies, and even construction companies.
Third party providers that fall within the scope of the regulations may be required to implement policies and procedures relating to how various computer systems are accessed (including possibly requiring the use of Multi-Factor Authentication), how data is stored or transferred between systems (including requirements for the use of encryption technology), and what they must do in the event of a data breach (including specific notice requirements and other obligations).
As noted above, the regulations apply directly to any “Covered Entity,” which is defined in the regulations as “any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.” This is a very broad definition that itself poses some difficulty. As also noted above, it will certainly include various banks and insurance companies, but may also include entities that you may not readily identify as “financial services” companies, such as certain charitable foundations and holding companies.
Because DFS does not have jurisdiction over the third party service providers, the regulations require the Covered Entities themselves to impose requirements on third party service providers. Among other potential requirements, the Third Party Service Providers will be required to: (1) have policies and procedures relating to access controls (including the use of Multi-Factor Authentication) with regard to third party access to the Covered Entity’s information systems; (2) have policies and procedures for use of encryption of the Covered Entity’s private data; (3) follow specific notice requirements and other procedures in the event of a cybersecurity breach event involving a Covered Entity’s private data; and (4) provide representations and warranties to the Covered Entity affirming that the Third Party has the policies, procedures, and practices in place to ensure the security of the Covered Entity’s private data.
There are various deadlines that the Covered Entities are required to meet in terms of complying with the various aspects of the regulations. With regard to third party providers, Covered Entities have until March 1, 2019 to ensure that all of their third party service providers comply with the applicable requirements.
These new regulations are likely to affect the cost of providing services to Covered Entities, and could impact the manner in which third parties are providing their services to Covered Entities. We recommend that any businesses that provide services to a potential “Covered Entity” assess those relationships to determine if they might fall within the scope of the regulations as a “third party service provider” and, if you are a third party service provider, review you agreements with Covered Entities and assess your existing policies, procedures, and practices in relation to cybersecurity, including system access and encryption, to determine the impact of compliance and steps to be taken to comply with the new requirements.