August 28, 2017 marks the end of the initial 180-day grace period for compliance under the New York Department of Financial Services’ “first-in-the-nation” cybersecurity regulations (the “Rules”). The initial regulations were proposed last year, but NY DFS received robust public comments that led to significant amendments. While the proposed regulations set out proscriptive, one-size-fits-all requirements, the final Rules align more closely to flexible federal, financial sector guidance, captured in the NIST cybersecurity framework and the FFIEC cybersecurity assessment tool. Accordingly, the final Rules require that cybersecurity programs be calibrated to periodic “risk assessments” that give entities discretion to specify the criteria used to identify, evaluate, and remediate risks, in the context of technological developments and corporate controls.
While covered entities are technically required to be in compliance with the Rules as of Monday, there are additional transitional periods for certain items (see below), and entities have until February 15, 2018 to submit their first certifications to NY DFS. For organizations still working through compliance requirements, the below steps may help to prioritize and implement a work plan. READ MORE
For businesses that work with the U.S. Department of Defense (“DoD”), two important rules for safeguarding certain categories of sensitive information and reporting cyber incidents were recently finalized, updating the interim rules promulgated in late 2015. The first rule amends the Defense Federal Acquisition Regulation Supplement (“DFARS Rule”) and went into effect on October 21, 2016. The second rule modifies the previously voluntary DoD cybersecurity information-sharing program in connection with the Defense Industrial Base (“DIB Rule”) and went into effect on November 3, 2016.
We previously explained the changes brought about by the interim rules. Here, we explain what changed after the rules’ comment periods, and provide suggestions for compliance.
Happy U.S. National Cybersecurity Awareness Month! One year ago, in recognition of the Department of Homeland Security’s annual campaign to raise awareness about cybersecurity, Orrick’s Cybersecurity & Data Privacy Group launched its award winning blog Trust Anchor.
Almost daily we hear news about data breaches, cybersecurity and privacy enforcement proceedings, litigation, and new laws and regulations. Trust Anchor covers it all: recent cases, legislative and regulatory developments, emerging compliance standards and best practices for cybersecurity and privacy risk management, insurance trends and more! But, we don’t just report on these events, we highlight key takeaways and what these developments mean for you.
On December 30, 2015, DoD published an interim rule, effective immediately, amending portions of the August Rule. Most importantly, pursuant to the new rule, contractors administering covered information systems that are not being operated on behalf of the government now have until December 31, 2017 to implement the new NIST SP 800-171 standards. Previously, through a class deviation, contractors were given an additional nine months after contract award to comply with the multifactor authentication provisions of NIST SP 800-171. The new December 31, 2017 deadline gives contractors significantly more time to implement all of the requirements of NIST SP 800-171.
The United States Department of Defense (“DoD”) recently published two new rules that impose broader obligations to safeguard information that falls within specified categories of sensitive data and to report cyber incidents to the government. These rules generally apply to companies that have been awarded new DoD procurement contracts, that hold subcontracts under such DoD contracts, or, in some cases, that have been awarded other types of agreements with DoD. The rules:
- expand contractors’ and subcontractors’ safeguarding responsibilities and obligations to report and investigate cyber threats;
- modify the scope of data that contractors and subcontractors must safeguard and the universe of contractors and subcontractors to which the requirements apply;
- establish requirements for contractors and subcontractors using cloud computing to provide information technology services to DoD, including requiring such contractors to keep government data within the United States, implement DoD-approved safeguards, and limit disclosure of and access to government data;
- expand and make mandatory DoD’s previously voluntary cyber incident reporting system for defense industrial base (“DIB”) agreement holders; and
- open DoD’s voluntary cybersecurity information sharing program up to a greater range of agreement holders.
The new rules reflect DoD’s intensified focus on treatment of export controlled technology and other categories of sensitive data. Awardees of DoD procurement contracts, subcontracts, and other types of instruments such as cooperative agreements are well-advised to make their data-security and export control compliance programs comport with these new requirements.
On February 3, 2015, the U.S. Securities and Exchange Commission released a Risk Alert addressing cybersecurity issues at brokerage and advisory firms, along with suggestions to investors on ways they can protect themselves and their online accounts. FINRA issued a similar, more extensive “Report on Cybersecurity Practices” on the same day.