Cyber Regulation Demands Board Accountability: Part 2 in a 3-Part Series
This is our second installment in a three-part series examining the New York State Department of Financial Services (“DFS”) new cybersecurity regulation. In this installment, we provide an overview of the regulation’s impact on corporate governance and the scope of liability for corporate boards.
The cornerstone for the new DFS cybersecurity regulation is accountability at the top of an organization. In a survey used to inform the development of the regulation, the DFS explained that “cyber security tends to be highly IT-centered.” Another DFS survey of insurance companies found that 60% of their CEOs, and 21% of their boards of directors, are only updated about cybersecurity issues on an “ad hoc basis.”
In less than six weeks, when the regulation becomes law, ad hoc review will no longer be an option. As the regulation itself makes clear, senior “management must take [cybersecurity] seriously and be responsible for the organization’s cybersecurity program.”
As part of this obligation, key implementation requirements include:
- Board Review of an Institution’s Cybersecurity Policy: Under the regulation, board accountability begins with mandated “review” of the company’s central cybersecurity policy. The contents of that policy are prescribed in detail by the DFS and, at a minimum, must address topics such as data governance, access controls, disaster recovery planning, performance planning, network security, customer data privacy, third-party management, and incident response.
- C-Suite Policy Approval: Not only is the cybersecurity policy subject to board review, but a senior officer of the company—defined as a “senior individual” who is responsible for “management, operations, security, information systems, compliance and/or risk”—must approve the policy.
- Ongoing Obligation: Review and approval of the policy is an ongoing process and must occur “as frequently as necessary,” but not less than annually.
- Written Compliance Certification: The chairperson of the board of directors or a senior corporate officer must also certify in writing to the DFS annually that the company’s cybersecurity program complies with the regulation.
- Chief Information Security Officer Appointment: Institutions must also designate a “qualified individual” to serve as Chief Information Security Officer (“CISO”). In addition to overseeing and implementing the company’s cybersecurity program and policy, the CISO must bi-annually report to the board on a complex set of issues including the integrity of the company’s information systems, the effectiveness of the company’s cyber security program, any perceived cybersecurity risks, and all material cyber events that affect the company. The CISO’s report must be made available to the Superintendent of the DFS upon request.
These requirements are significant. Unlike any other state’s regulatory scheme, the DFS requires board-level engagement, consistent reporting, and the appointment of a chief information security officer. And that is just the beginning. As we explained in our first installment of this series on Monday, the regulation will require many covered companies and their third-party contractors to revamp their day-to-day cybersecurity practices to comply with the regulation.
COMING LATER THIS WEEK
In our final installment in this series, we will examine the requirements imposed by the regulation on Third-Party Business Partners and Vendors – including law firms – and the practical implications to them, including cybersecurity audits, contractual representations and warranties and vendor due diligence.
As a reminder, Patterson Belknap will publish a hard-copy primer for our clients that examines the proposed regulation in detail and highlights implementation issues, requirements, and pitfalls. If you would like further information or a copy of the primer, please email DataSecurityLaw@pbwt.com.