The New York Department of Financial Services (NYDFS) is expected to pass a proposed cybersecurity regulation in January 2017, called "Cybersecurity Requirements for Financial Services Companies". In the light of the imminent regulatory update, most financial institutions, and insurance providers are preparing to comply with the fundamental requirements that the NYDFS will likely adopt. In this webinar, we covered: - Explanations of the regulation’s key legal requirements; - How the regulation interacts with other data security laws; - Industry best practices for securing data; - The value of online compliance training.

1. How to Approach the NYDFS
Proposed Cybersecurity
Requirements

2. About the Presenters
Douglas Kelly
Lead Legal Writer
EverFi
Brian Ralston
Compliance Training Executive
EverFi

3. Purpose of Webinar
● Explain key legal requirements of the Regulation and
how it interacts with other data security laws.
● Trends, industry best practices, and the value of online
compliance training.

4. Why We Care About The Regulation
Out of 78 surveyed in-house counsel and compliance
professionals:
● 73% said cybersecurity was their biggest compliance
risk.
● 72% said data breaches were their second biggest
compliance risk.
DLA Piper. (Apr. 2016). Compliance & Risk Report: CCOs Under Scrutiny. Retrieved from
https://www.dlapiper.com/~/media/Files/Insights/Publications/2016/04/DLA_Piper_Complia
nce_Risk_Survey_Report2016.pdf.

5. Why We Care About The Regulation
The DFS reports:
● 79% of surveyed depository institutions were increasing
their cybersecurity budgets for 2014 - 2017.
● Top three factors driving cybersecurity spending:
1. Compliance and regulatory requirements
2. Business continuity and disaster recovery
3. Reputation
New York State Department of Financial Services. (May 2014). Report on Cyber Security
in the Banking Sector. Retrieved from
http://www.dfs.ny.gov/reportpub/dfs_cyber_banking_report_052014.pdf.

6. Why We Care About The Regulation
● Data Breaches
○ “Most institutions irrespective of size experienced intrusions or attempted intrusions
into their IT systems over the past three years.” DFS.
● FinTech
○ “As technology dependence in the financial sector continues to grow, so do
opportunities for high-impact technology failures and cyber-attacks.” Federal Rese
Board.
● Reputation

7. Agenda
● Regulation Key Requirements
● Industry Best Practices and Trends
● Value of Employee Conduct Training

8. THE REGULATION

9. Key Facts and Dates
● New York State Department of Financial Services (DFS)
● Who’s Covered
○ Anyone authorized to operate under New York banking, insurance, or
financial services laws. Unclear.
● Effective?
○ January 1, 2017.
○ BUT have until June 30, 2017 to comply.
23 NYCRR 500.20, 21

10. Case Study
● OCC Security Breach - October 2016
○ Employee downloaded confidential OCC data onto a thumb drive, retired.
○ Download happened 11/2015, not discovered until 9/2016 during audit (performed
every two years).
○ No policy forbidding access at time of download.
○ Data was encrypted, no confidential information misused or leaked.
○ OCC immediately contacted appropriate personnel, then Congress.

11. NONPUBLIC INFORMATION

12. Nonpublic Information - General
1. Electronic, “business related information” that would cause a
“material adverse impact to the business, operations or security”
if released.
OCC Case Study
23 NYCRR 500.01(g)(1), (j)

13. Nonpublic Information - Financial
2. Any information that an individual provides in
connection with any financial product or service.
→ Gramm-Leach-Bliley Act - Privacy Rule
23 NYCRR 500.01(g)(2)
“nonpublic personal information”
{ }

14. Nonpublic Information - Health
3. Health information. “Any information... that relates to the... physical, mental or
behavioral health or condition of any individual... [and] payment for... health care.”
→ Health Insurance Portability Protection Act (HIPAA) - Privacy Rule
23 NYCRR 500.01(g)(3)
“Individually identifiable health information”
{ }

15. Nonpublic Information - Catch-all
4. “Any information that can be used to distinguish or trace an individual’s identity”
or “linkable to an individual”
→ EU General Data Privacy Regulation (GDPR) FAQ
23 NYCRR 500.01(g)(4)
“Any information related to a natural person
. . . that can be used to directly or indirectly
identify the person.”{ }

16. Takeaway #1
Only Nonpublic Information

17. CYBERSECURITY PROGRAM

18. Background - NIST and FFIEC
National Institute of Standards and Technology’s (NIST)
Framework Core
● Keep a lookout for Events and Presentations, News
○ Ex. Nov. 2016 - IoT Guidance
Federal Financial Institutions Examination Council (FFIEC)
Cybersecurity Assessment Tool
● FFIEC Information Technology Examination Handbook, NIST
23 NYCRR 500.02

19. The Law - Cybersecurity Program
Your cybersecurity program must now include:
1. Identify Cyber Risks
2. Protect Nonpublic Information
3. Detect Cybersecurity Events
4. Respond to Cybersecurity Events
5. Recover from Cybersecurity Events
6. Fulfill all regulatory reporting obligations
23 NYCRR 500.02

20. Pending Regulations, Bills
Two pending laws reflect the same “risk-based” approach:
● Data Security Act of 2015 (A06866)
○ Requires “reasonable safeguards”
○ Incorporates GLB Act, HIPAA, NIST, and international laws.
● Enhanced Cyber Risk Management Standards
○ Interagency proposed rule
○ Incorporates NIST, FFIEC, GLB Act

21. International Laws
Big international laws require similar security measures:
● EU Data Privacy Shield
○ “reasonable and appropriate measures to protect [data] from loss,
misuse and unauthorized access. . . taking into due account the risks.”
● GDPR
○ “implement appropriate technical and organizational measures” taking
into account “the state of the art and the costs of implementation . . . as
well as the risk of varying likelihood and severity.”

22. Takeaway #2
Risk Management

23. CYBERSECURITY POLICIES

24. Cybersecurity Policies - Four Requirements
● Cybersecurity Policy
○ 14 subjects, including “systems and network monitoring” “vendor
and third-party service provider management” “risk assessment”
● Incident Response Plan
● Third Party Information Security Policy
● Security for In-House Developed Applications
OCC Case Study
23 NYCRR 500.03, 500.11, 500.16, 500.08

25. Cybersecurity Policies - Third Parties
Two main requirements when doing business with third parties:
● Written policy re: security that third parties must use IF handling nonpublic information.
○ “periodic assessment, at least annually, of such third parties and the continued adequacy of
their cybersecurity practices.”
● Put specific warranties in third party contracts.
○ Ex. “Multi-Factor Authentication” “encryption”
23 NYCRR 500.11

26. Cybersecurity Policies - Third Parties
Two things to consider:
● Third party ability to comply with data security requirements.
● International Laws
○ GDPR
■ “contracts with processors [must] comply with the GDPR”
○ EU Data Privacy Shield
■ contracts with third party “controllers”

27. Cybersecurity Policies - FTC
Failure to comply with your own cybersecurity policies is an “unfair practice”
under the FTC Act
● LabMD, Inc., Credit Karma, Fandango
“In this case, LabMD had policies in place that might have avoided the breach, but the policies
weren’t followed. In addition, all employees should have a basic knowledge of data security and
privacy [which, they did not].”
Day, Christine. (2016, Aug. 7). Failure to Protect Data is an Unfair Practice. LawRoom Blog. Retrieved from
http://blog.lawroom.com/data-security/failure-to-protect-data-is-an-unfair-practice/?_sft_category=data-security.

28. Cybersecurity Policies - Culture
A culture of compliance ensures employees actually follow your policy:
● Tone at the Top
● Legitimacy
○ i.e. codes and policies being enforced visibly and fairly.
● Management
○ i.e. taking policies seriously and following them.
Kelly, Douglas. (Sept. 2016) Compliance Culture: What It Is, and How To Build It. Retrieved from
https://www.youtube.com/watch?v=AIiSJp8jIWc&feature=youtu.be.

29. Cybersecurity Policies - Action Plan
Compare all data security policies:
● Privacy notices to customers
○ Ex. “nonpublic personal information”*
● Existing internal data security policies
● Third party contracts and policies
● Online privacy statement
*16 C.F.R. § 313.6(a)(1)

30. Takeaway #3
If You Write It, Do It

31. Other Requirements

32. Security Requirements
Required security protocols:
● Penetration Testing and Vulnerability Assessment. 500.05
○ annually, quarterly
● Audit Trail. 500.06
● Access Restrictions. 500.07
● Risk Assessments. 500.09
● Application Security. 500.08
● Multi-Factor Authentication. 500.12
● Data Disposal. 500.13
● Encryption. 500.15
OCC Case Study

33. Staffing Requirements
Two main changes:
● Chief Information Security Officer (CISO) to oversee program
● Adequate personnel to maintain cybersecurity program
OCC Case Study
23 NYCRR 500.04, 500.10

34. Reporting Requirements
New reporting requirements:
● CISO report to Board of Directors (2x a year)
● CISO and Board certify compliance to DFS (1x a year)
● CISO report to DFS if there’s a breach
Old reporting requirements:
● NYS Information Security Breach and Notification Act
OCC Case Study
23 NYCRR 500.04

35. Training Requirements
Monitor activity of Authorized Users
● Mitigate risks, implement controls
Train all employees
● “require all personnel to attend regular cybersecurity awareness
training sessions . . . updated to reflect risks identified by the . . .
annual assessment of risks.”
23 NYCRR 500.15

36. Takeaway #4
It Takes a Village

37. Training

38. Employees Are Critical Assets
“Although external threats tend to grab headlines, insider breaches from employees, consultants, and
others can do just as much—if not more—harm to an institution.” DFS.
“Establishing an information security culture that promotes an effective information security program and
the role of all employees in protecting the institution's information and systems.” FFIEC IT Examination
Handbook.
“76% of IT respondents (up from 67% in a 2014 study) said that their organization had experienced the
loss or theft of company data in the last two years. Insider negligence was more than twice as likely as
external attackers to compromise insider accounts.” Ponemon Institute.

39. Data Security Threats
● Phishing
○ “In one instance, Verizon analyzed millions of phishing scams and found that 30% of phishing
messages were opened by employees.”
● Shadow IT
○ “80 percent of employees use unsanctioned web applications for work.”
● Password Reuse
○ “63% of confirmed data breaches exploited stolen, weak, or default passwords.”

40. Recap
The DFS requires the following of your cybersecurity program:
● Identification of cyber risks.
● Implementation of policies and procedures to protect unauthorized access/use or other malicious
acts.
● Detection of cybersecurity events.
● Responsiveness to identified cybersecurity events to mitigate any negative events.
● Recovery from cybersecurity events and restoration of normal operations and services.

41. Our Training - Checkpoint
The DFS requires the following of your cybersecurity program:
● Identification of cyber risks.
● Implementation of policies and procedures to protect unauthorized access/use or other malicious
acts.
● Detection of cybersecurity events.
● Responsiveness to identified cybersecurity events to mitigate any negative events.
● Recovery from cybersecurity events and restoration of normal operations and services.

42. About LawRoom
● 20 years in business
● 10 attorneys on staff to help ensure ongoing course compliance and
proactive updates
● 20 instructional designers
● 6 mm employees and students will train with us in 2016
● 3300 corporations and universities rely on us today for compliance training
● Raised 61 million in funding (Amazon founder - Jeff Bezos, Twitter
co-founder - Evan Williams, Google EC - Eric Schmidt)

43. LawRoom Blog:
blog.lawroom.com
Compliance Tips
Thought-Leadership
Free to Join
Four Posts a Week

44. Request a Demo
If you would like to learn more about how LawRoom (powered by EverFi) can help you
meet these requirements, please contact us or type “DEMO” in the comments section.
Brian Ralston: bralston@everfi.com
Arjun Sharma: asharma@everfi.com