New York: Privacy and Data Protection-related Laws
The NYSDFS has implemented regulation regarding Cybersecurity Requirements for Financial Services Companies (the “Cybersecurity Regulation”). The Cybersecurity Regulation applies to all individuals and non-governmental entities operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the New York Banking Law, New York Insurance Law or New York Financial Services Law. This would include individuals or entities subject to the BitLicense, regardless of whether they involve a public blockchain. The Cybersecurity Regulation is designed to impose policies, procedures and technical protections to prevent and limit unauthorized access to protected data. Among these requirements are the following:
- Cybersecurity Program: Covered entities must create, document and implement an internal cybersecurity policy. This policy must be based on a risk assessment (described below) and implement “defensive infrastructure and… policies and procedures” to protect the financial data the entity possesses.
- Cybersecurity Policy: The Cybersecurity Program described above is documented in the form of a comprehensive Cybersecurity Policy. This policy must be approved by company leadership and address the following:
- Information security
- Data governance and classification
- Asset inventory and device management
- Access controls and identity management
- Business continuity and disaster recovery
- System operations and availability measures
- System and network security
- Systems and network monitoring
- Systems and application development and quality assurance
- Physical records security
- Vendor and third party service provider management
- Risk assessment
- Incident response
- Chief Information Security Officer: Each entity must appoint a Chief Information Security Officer (“CISO”), whose role it is to lead the Cybersecurity Program and oversee the creation and implementation of the Cybersecurity Policy.
- Penetration Testing and Vulnerability Assessment: The Cybersecurity Program must include annual penetration testing of vital systems and bi-annual system scans to assess the system and network requirements for known vulnerabilities.
- Risk Assessment: Each entity must perform a risk assessment based on written policies and procedures created and documented within the Cybersecurity Policy. This risk assessment is performed on the entity’s computer and network systems and forms the backbone of the Cybersecurity Program. The risk assessment is designed to highlight the major risks to the entity’s financial data, customer data, and other sensitive data and assist the entity in understanding how data flows through its systems and where it is most vulnerable. The Risk Assessment should be periodically revisited and updated as necessary.
- Third-Party Service Provider Security Policy: The Cybersecurity Regulation specifically identifies the risks posed by the use of third parties in handling financial or customer data. Whenever data is moved between systems, risks and vulnerabilities are often exposed and can be exploited. Entities are expected to incorporate third parties into the Risk Assessment described above, as well as perform the necessary due diligence to ensure that third party service providers provide sufficient security to the data they are handling.
- Multi-factor Authentication: Each entity must utilize multi-factor authentication technologies for all remote-access services, unless the entity’s CISO has approved the use of reasonably equivalent remote access controls.
- Encryption: Nonpublic information must be encrypted while in motion and while at rest unless this encryption is infeasible. If a determination of infeasibility is made, it must be documented and revisited by the CISO at least annually. The kind and strength of the encryption is not provided by the Cybersecurity Regulation.
- Incident Response Plan: Each entity must create and implement an incident response plan (“IRP”). An IRP is a documented, practiced and tested policy that outlines the steps that are taken by all relevant employees in the event of a suspected or actual data breach.
More information on the Cybersecurity Regulation can be found in this article and on New York Department of Financial Services’ website.
Under the rules set out through the BitLicense, each Licensee is similarly required to establish and maintain an effective cybersecurity program. Because the Cybersecurity Regulations were implemented after the BitLicense, satisfaction of the Cybersecurity Regulations largely satisfies the BitLicense’s cybersecurity program requirements (although the NYSDFS has not explicitly stated this).
KYC rules are applied in New York when:
- Opening an account
- Individual transaction of more than $3,000 of the account holder initiating the transaction
- Enhanced due diligence for non-US Persons and non-US Licensees
With respect to the BitLience in particular, KYC and AML requirements require Licensees to, among other things:
- Obtain information for counterparties to its customers’ transactions to the extent practicable;
- File Suspicious Activity Reports (“SARs”) to the extent not already subject to federal SARS reporting;
- File currency transaction reports for all virtual currency to virtual currency transactions greater than $10,000; and
- Maintain records on this information for 7 years.
More details on the New York State Department of Financial Services Regulations can be found in Title 23, Chapter 1, Part 200, Regulations of the Superintendent of Financial Services, Virtual Currencies.