Deal Law Wire - Norton Rose FulbrightNew cybersecurity requirements for Department of Financial Services (DFS)-regulated entities took effect on March 1, 2017. The New York DFS created these requirements in response to recent or potential threats to sensitive electronic information, particularly financial information and private consumer information. EY’s report provides an overview of the new framework with implications for the affected entities. A main goal is to protect information systems of the affected entities and the non-public information stored in those systems.

The new cybersecurity requirements include indications for the below-noted areas. An annual statement certifying compliance with these requirements must be submitted to the Superintendent by February 15th. In the context of a M&A transaction, purchasers considering the acquisition of a DFS-regulated entity should conduct effective due diligence to ensure the target is in compliance with these new requirements.

Risk assessment

Each entity must periodically assess the risk to its information systems from a cybersecurity standpoint. This assessment must be in accordance with defined policies and is to inform the cybersecurity program and policies developed under the new requirements.

Cybersecurity program

Each entity must maintain a cybersecurity program that performs enumerated cybersecurity functions including the identification and detection of, protection against, response to, and recovery from cybersecurity events and risks, including an incident response plan. The entity must also manage access to its non-public information by maintaining user access privileges, having policies on data retention, monitoring access, providing training regarding access, and implementing encryption or encryption-like protection for non-public information held or transmitted by the entity, including over external networks. The entity must also ensure that its (or third-party) development of computer applications meet defined security-related standards. Further, the entity must perform penetration testing and vulnerability assessments on its cybersecurity program at a specified frequency and in accordance with the risks identified by its risk assessment.

Cybersecurity policies

Each entity must adopt a written policy or policies that address, as applicable, 14 enumerated items relating to information access management, security, data governance, business continuity and recovery, and risk assessment and response. Further, each entity must adopt written policies applicable to information systems and non-public information that are accessible to its third party service providers.

Chief Information Security Officer (CISO) and personnel

Each entity must designate a CISO who is responsible for managing and enforcing the cybersecurity program and policies. The CISO must prepare a written report to the entity’s board of directors. The entity must also have qualified cybersecurity personnel who are trained in addressing cybersecurity risks.

Notices to Superintendent and record keeping

In the event of a material cybersecurity event, the entity must notify the Superintendent within 72 hours.

Additionally, the entity must maintain records that support its annual certification of compliance with these requirements, as well as certain audit trails that can help support its normal operations and that can detect and respond to material cybersecurity events.

The author would like to thank Larissa Leong, Articling Student, for her assistance in preparing this legal update.

Stay informed on M&A developments and subscribe to our blog today.