Re: Proposed Cybersecurity Requirements for Financial Services Companies DFS P

Transcription

1 CATHERINE M. TULLY Director, Government Affairs Submit via electronic mail: November 15, 2016 Ms. Cassandra Lentchner Deputy Superintendent for Compliance NYS Department of Financial Services One State Street New York, New York Dear Ms. Lentchner: Re: Proposed Cybersecurity Requirements for Financial Services Companies DFS P The Business Council is New York s largest statewide employer association, representing more than 2,400 private sector employers in all business sectors located across the state. The Business Council applauds the Department of Financial Services (DFS) for initiating the discussion on cybersecurity. This is a complex issue in a technology arena where the landscape is constantly changing. The proposed rulemaking brings attention to the challenges of maintaining internet safety and security, and highlights the potential risks of placing non-public information and data in jeopardy. Regardless of how vigilant and rigorous a cybersecurity program may be, it cannot perfectly secure every act, thus businesses need flexibility to focus on the information that is critical to securing its market. Consequently, a one size fits all approach is neither effective nor manageable. The diverse membership of the Business Council includes many of the industry leaders, as well as small and mid-size businesses from every segment of the market including finance, manufacturing, insurance, telecommunication, technology. Our economy is a global economy and since many of the companies operate not just in New York State, but in other states and in foreign markets they must anticipate threats levied against their systems from a variety of avenues. All of these industries require safeguards for both the propriety information common to industry-specific markets and the customer data entrusted to them by consumers. Protected, proactive steps include the employment of state of the art cybersecurity programs and the retention of experts on internet security. The complexity, cost and the transition time needed to effectively implement the proposed regulation should be the result of a deliberative process to ensure that the business community and the third party vendors have the opportunity to engage with the Department to ensure compliance with the proposal is reasonable, effective and consistent with federal and state laws and regulations. The Business Council has received input from a number of our members many will be submitting detailed comments addressing their individual concerns. However, in our discussions, there were several issues that had a commonality, including the following:

2 The proposal applies to all Covered Entities, defined to include the DFS registered and licensed entities ( (c)). Some DFS registered and licensed entities, however, do not maintain any Information Systems and do not possess any Nonpublic Information, as those terms are defined in the proposal. In some instances, entities become licensed in New York for the limited purpose of complying with requirements under the insurance laws and related regulations requiring licensure for insurance producers as a condition of receiving commission payments. Other firms may only open a sales office in New York State that must be registered pursuant to DFS requirements. But if these entities do not actually maintain information systems and personal data or other information governed by the proposal, then any final rule resulting from the proposal, we suggest, should not apply. According, it is recommended that the DFS revise the definition of Covered Entity to exclude entities that do not operate or maintain an Information System and do not generate, receive or possess Nonpublic Information. The broadly defined Cybersecurity Event (d) will require institutions to report any attempt on an information system, even unsuccessful attempts, to the Superintendent within 72 hours. In addition, (a) (2) requires reporting where there is potential unauthorized tampering with nonpublic information. Compliance will be a challenge as entities must be able to identify these unsuccessful attempts to access their systems and then document what conceivably could be thousands of such attempts on a daily basis. Further, this extraordinary number of events will result in inundating DFS with reports of potential threats, a majority of which were blocked, prevented or otherwise defended. It is recommended that the definition establish a higher threshold for reportable incidents so that staff and resources at the Covered Entities and at the Department direct their efforts on the actual acts and threats that information systems encounter every day set forth the required Notices to the Superintendent. As stated above, businesses can and do receive thousands of attempted threats daily to penetrate their information technology systems. Seventy-two hours is a short span of time for a business to provide a comprehensive report to DFS of every event that is identified as an attempted cybersecurity event. Moreover, at a time when an entity is responding to an actual act or threat, filing a report should not be the priority. The attention must be given to focusing on the actual act, assessing the situation, bringing in experts and determining any impacts. These necessary actions require more than 72 hours. We believe that New York State Law already provides reasonable notification to the Attorney General and law enforcement agencies to disclose breaches in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement (General Business Law 899-aa; State Technology Law 208). A rule with a workable timeframe more in tune with the realities of reacting to a confirmed material act rather than attempts to disrupt the system and consistent with current law is recommended. The definition of Nonpublic information (NPI) (g) essentially captures any information held by an institution including business related information as well as personal information. This wording appears to protect information that is not identifiable or is aggregated such that it is not attributable to an individual. The definition should be modified to limit its focus on the types of sensitive information that is personally identifiable information. Specifically, (g) (4) should be removed from the definition. It includes information that is linkable even if not currently used to identify a customer. Without limiting the definition to information that is already linked to a customer, any information collected or tracked by a Covered Entity could potentially be included in the definition. Moreover, the inclusion of information about an individual used for market purposes should be stricken because it could potentially include information created by a Covered Entity based on that customer s use of the site. Such information would be information that a Covered Entity creates about an individual that is of no use or benefit outside of the Covered Entity s internal systems.

3 The Encryption of Nonpublic Information would cover virtually all nonpublic information relating to a customer regardless of sensitivity. There is concern over the lack of flexibility to assess what an entity is protecting and to ensure that it is the sensitive personal information. The proposal would require encryption of any system on which customer information is maintained as well as every electronic transmission of customer information. There are a variety of technical controls that may be taken to protect data that are as effective as encryption. Institutions should be able to select other methods based on their risk assessment. It is recommended that institutions have the flexibility to assess what they are protecting and implement accordingly. The definition of Publicly Available Information (j) should reference any information that a Covered Entity has a reasonable basis to believe is lawfully made available to the general public. The rest should be deleted. As currently drafted, Covered Entities could be deemed to have an obligation to determine the source of publicly disseminated information to determine whether it meets the definition. A Covered Entity should not have the burden of determining the source of the information, provided that information was found in the public domain, nor should they have the burden of determining whether a particular news source is sufficiently widely distributed to meet the standard. It is not possible to know distribution of online materials and news sources. Moreover, the definition fails to include information that has been made available to the general public by the individual themselves. The implementation of a Third Party Information Security Policy ( ) is an important component in protecting and securing the information systems. However this is also an area where a uniform, one size fits all model is not workable. Institutions need the flexibility to evaluate separately what types, if any sensitive information it is sharing with each of their third party provider relationships and craft the appropriate terms on a case by case basis. In addition, requiring Covered Entities to include preferred provisions in contracts with third party providers imposing multi-factor authentication and encryption requirements would present significant challenges for vendor procurement. In particular, requiring representations and warranties that no service provider could possibly provide (i.e., that their service or product is free of viruses, trap doors, time bombs and other mechanisms) and could result in hardship finding providers willing to enter into contracts to warrant those significant security requirements that are not risk based and do not take into account the specific relationship. Institutions can, based on a risk assessment approach, determine the types of service providers on which to impose security obligations [ (b) (5)]. It is also noted that requiring identity protection services in certain data breach situations may not be necessary, and we suggest that language provide some flexibility and allow provision for appropriate remedies, including identity protection services (b)(4). The proposed regulation would also impose requirements directly on the Boards of Directors of Covered Entities (b). New York Business Corporation Law ( 701) states that the business of a corporation shall be managed under the direction of its board of directors. As such, it is the Board s role to provide oversight to the management of the corporation. Therefore, while Boards should be exercising oversight in the area of risk, which would include cybersecurity, it would be outside of their duties to play an operational role in the management of that risk. However, certain aspects of the proposed regulation go too far in pushing the Board toward a more operational role in cybersecurity, as well as micromanaging how the Board conducts its oversight. For example, (b) would require the Chief Information Security Officer to report to the Board biannually on specific topics and details. The report to the Board would be required to contain specific categories of information such as detail[ed] exceptions to the Covered Entity s cybersecurity policies and procedures (b) (2). Mandating the Board to review such technical operational matters

4 would divert valuable time and attention of the Board away from its important role of overall oversight from a strategic perspective, and it could have the unintended consequence of creating more risk for an organization. Similarly, the proposed regulation would also require the Board to review the company s written cybersecurity policy and annually certify as to the adequacy of the cybersecurity program. Again, certifying the adequacy of a highly technical program is outside the scope of the appropriate role of a Board of Directors and unlike anything else a Board typically does in executing its oversight role. A one size fits all approach that micromanages the operation of Boards of Directors is neither appropriate, given the complex differences among Covered Entities, nor necessary. The Business Corporation Law ( 717) already requires Board members to act in good faith and with that degree of care which an ordinarily prudent person in a like position would use under similar circumstances, and there is a well-established body of law governing how Boards should exercise their responsibilities. Given the importance of cybersecurity in this day and age, these fiduciary duties dictate that Board members involve themselves in the oversight of cybersecurity strategy. The DFS should not impose new, operational duties on Boards that would take away from these oversight functions. It is recommended that the language in the Certification of Compliance (attachment A) be amended such that: (1) The Board of Directors (or name of Senior Officer(s)) have reviewed the management of the company s cybersecurity program in the past year. and (2) The Board of Directors (or name of Senior Officer(s)) have reviewed the assessment of compliance to the NYS cyber regulation. The audit trail provision ( ) requires tracking and maintaining data for six years. Security systems are constantly being updated, and retention of all records for that period of time would likely not provide any useful information and would create significant storage burdens. Again, allowing entities the flexibility to determine the appropriate retention time, such as a period of one year, is more reasonable and consistent with industry standards. Cybersecurity is a difficult challenge for government and businesses alike. As previously stated, it is critical that the development of regulations provide the necessary rigors and flexibility to ensure compliance; this requires further discussion and study. The Business Council recommends that consideration be given to the complexity of compliance with the rulemaking and that DFS extend out the effective date of January 1, 2017 to allow for revisions to the proposal based on the issues raised and the proposed amendments submitted by the Business Council, its members and others. Moreover, it is recommended that extension of the timetable beyond the transitional period of 180 days is necessary for Covered Entities to develop and properly assess all the policies, procedures and controls required by this proposed regulation. This proposal purports to regulate financial institutions that are already subject to regulation and oversight under federal law. Members have raised concern that compliance with federal standards and requirements along with New York s proposal will lead to disarray and misaligned cybersecurity measures across the industry instead of working toward greater coordination and harmonization. The proposed regulation should be done in such a manner that is consistent with the evolving federal framework. In conclusion, the proposal s rigid standards of regulation do not take into account the varying sizes, resources and types of financial services companies and third party providers to which it would apply. Complying with this proposal would involve a significant investment of time, staffing and resources. It is a challenge for businesses to protect and maintain a viable, safe and effective information system. A

5 risk-based approach provides the flexibility and the opportunity for them to assess and implement methods necessary to ensure the integrity of their systems. Thank you for the opportunity to comment on this very important proposed regulation. Sincerely, Catherine M. Tully Director of Government Affairs