DFS Rulemaking on Cybersecurity Published
Staff Contact: Johnny Evers, PhD
December 28, 2016
The Department of Financial Services (DFS) published a revised rulemaking on cybersecurity requirements for financial institutions in the December 28, 2016 State Register.
In issuing the revised rule, the Department said it had received more than 150 comments on the initial rule. DFS will be accepting comments on the revised rule until January 27, 2017.
The revised rule addresses several of the issues raised by The Business Council, but our members’ most significant concerns regarding lack of flexibility and excessively broad scope were not amended.
Major changes (listed by section) are provided below. We welcome member input on this revised rule.
- Section 500.01 Definitions.
- (1)(2) (i-v) Business related information of a Covered Entity is defined largely along the lines of social security numbers, drivers licenses, account numbers for various items such as credit cards, security and access codes, and biometric records.
- (h) person, (i) penetration testing (k) risk assessment (n) third party Providers(s) are all defined.
- Section 500.02 Cybersecurity Program
- Major changes include: (c) A Covered Entity may meet the requirements of this Part by adopting a cybersecurity program maintained by an Affiliate, provided that the Affiliate’s cybersecurity program covers the Covered Entity’s Information Systems and Nonpublic Information and meets the requirements of this Part.
- (d) All documentation and information relevant to the Covered Entity’s cybersecurity program shall be made available to the superintendent upon request.
- Section 500.03 Cybersecurity Policy
- (a) the written policy can be approved by a senior official or committee or “equivalent governing body” based on the Covered Entity’s Risk Assessment. Also adds “(3) asset inventory and device management”.
- Section 500.04 Chief Information Security Officer
- The CISO is defined, and may be employed by Third party provider or an affiliate with several outlined conditions met.
- Section 500.05 Penetration Testing and Vulnerability Assessments
- (a) The cybersecurity program for each Covered Entity shall include monitoring and testing, developed in accordance with the Covered Entity’s Risk Assessment, designed to assess the effectiveness of the Covered Entity’s cybersecurity program. The monitoring and testing shall include continuous monitoring or periodic penetration testing and vulnerability assessments, and shall be done periodically. Absent effective continuous monitoring, or other systems to detect, on an ongoing basis, changes in Information Systems that may create or indicate vulnerabilities, Covered Entities shall conduct:
- (1) annual penetration testing of the Covered Entity’s Information Systems determined each given year based on relevant identified risks in accordance with the Risk Assessment; and (2) bi-annual vulnerability assessments, including any systematic scans or reviews of Information Systems reasonably designed to identify publicly known cybersecurity vulnerabilities in the Covered Entity’s Information Systems based on the Risk Assessment.
- Section 500.06 Audit Trail
- Generally this section re-writes and defines the audit trail guidelines and changes the audit records retention under (b) from 6 to 5 years.
- Section 500.07 Access Privileges
- Under Covered Entity’s Risk Assessment limits “user access” and require periodic reviews.
- Section 500.08 Application Security
- Lays out a system requiring “written procedures, guidelines and standards”…”within the context of Covered Entity’s technology environment.” Also, under (b) required to “periodically” review of guidelines.
- Section 500.09 Risk Assessment
- Procedures: “a) Each Covered Entity shall conduct a periodic Risk Assessment of the Covered Entity’s Information Systems sufficient to inform the design of the cybersecurity program as required by this Part. Such Risk Assessment shall be updated as reasonably necessary to address changes to the Covered Entity’s Information Systems, Nonpublic Information or business operations. The Covered Entity’s Risk Assessment shall allow for revision of controls to respond to technological developments and evolving threats and shall consider the particular risks of the Covered Entity’s business operations related to cybersecurity, Nonpublic Information collected or stored, Information Systems utilized and the availability and effectiveness of controls to protect Nonpublic Information and Information Systems.”
- Section 500.10 Cybersecurity Personnel and Intelligence
- Generally specifies requirements for (1) “qualified cybersecurity personnel” and (3) “verify” they “maintain current knowledge”.
- Section 500.11 Third Party Service Provider Security Policy
- Generally, mandates each Covered Entity insure third party providers maintain security under a written policies and Risk Assessment of the Covered Entity such as (4) “periodic assessment”, (4) (b) “contractual protections”, and other examples; and a (4) (c) “limited exception”.
- Section 500.12 Multi-Factor Authentication
- (a) “Multi-Factor Authentication. Based on its Risk Assessment, each Covered Entity shall use effective controls, which may include Multi-Factor Authentication or Risk-Based Authentication, to protect against unauthorized access to Nonpublic Information or Information Systems.”
- Section 500.13 Limitations on Data Retention
- Generally, governs “secure disposal on a periodic basis of any Nonpublic Information identified in 500.01 (g)(2)-(3) that is no longer necessary”.
- Section 500.14 Training and Monitoring
- Provides for “all personnel” impacted under Risk Assessment.
- Section 500.15 Encryption of Nonpublic Information
- (a) As part of risk assessment “each Covered Entity shall implement controls, including encryption, to protect Nonpublic Information.” Outlines “alternative compensating controls”.
- Section 500.16 Incident Response Plan
- Largely the same as previous draft
- Section 500.17 Notices to Superintendent
- Outlines notice requirements to Superintendent (a) “no later than 72 hours”. And, annual statement by February 15 that Covered Entity is in compliance.
- Section 500.18 Confidentiality
- Outlines exemptions to disclosure under various laws i.e. banking law, etc.
- Section 500.19 Exemptions
- Exemptions for “fewer than 10 employees”.
- (b) “An employee, agent, representative or designee of a Covered Entity, who is itself a Covered Entity, is exempt from this Part and need not develop its own cybersecurity program to the extent that the employee, agent, representative or designee is covered by the cybersecurity program of the Covered Entity. (c) A Covered Entity that does not directly or indirectly operate, maintain, utilize or control any Information Systems, and that does not, and is not required to, directly or indirectly control, own, access, generate, receive or possess Nonpublic Information shall be exempt from the requirements of Sections 500.02, 500.03, 500.04, 500.05, 500.06, 500.07, 500.08, 500.10, 500.12, 500.14, 500.15, and 500.16 of this Part.”
- Those exempt must file exemption with DFS.(Appendix B)
- Section 500.20 Effective date
- March 1, 2017 (was January 1, 2017) with specific dates for various sections ranging from 1 year to 2 years.
- Section 500.23 Severability clause
In the December 28th publication DFS also outlined the Assessment of Public Comment containing the major changes between the initial draft regulations and the revised regulations. These comments are summarized as follows: Asssessment of Public Comment and State Register.