NYDFS Issues FAQs for Recently Issued Cybersecurity Regulations

On June 20, 2017, the New York State Department of Financial Services (“NYDFS”) expanded its set of frequently asked questions (“FAQs”) and answers concerning its recently finalized Cybersecurity Regulations (23 NYCRR 500.01), which set forth minimum requirements for NYDFS-regulated entities to address cybersecurity risk.  The now 17 questions included in the release address the types of entities that fall within the scope of the Regulations, the notice requirements attending a Cybersecurity Event (as defined in the Regulations), the annual certification requirement, and additional specific elements of the rules.

Significantly, NYDFS made clear its view that New York branches of foreign banks are covered by the Cybersecurity Regulations with respect to the Nonpublic Information of such branches and the Information Systems serving such branches.  NYDFS also confirmed that it will only accept annual certifications demonstrating full (rather than partial) compliance with the Regulations.  With respect to reportable Cybersecurity Events, NYDFS clarified that such events include reportable data breaches, events involving “material consumer harm,” and even unsuccessful attacks on a Covered Entity.

Other key points addressed in the FAQs include:

Application to Different Entities

  • New York branches of out-of-state domestic banks: NYDFS clarified that it will defer application of the regulations to the home state supervisor of state-chartered banks for supervision and examination of bank branches in New York.  NYDFS encouraged such branches to adopt safeguards consistent with the Cybersecurity Regulations, however, reminding banks that New York branches are required to comply with New York law and NYDFS maintains the right to examine branches located in New York.
  • DFS-authorized New York branches, agencies, and representative offices of foreign banks:  NYDFS stated that the DFS-authorized New York branches, agencies, and representative offices of out-of-country banks must comply with the Cybersecurity Regulations with respect to any Nonpublic Information of the branch and any Information Systems supporting the branch.
  • Affiliates of Covered Entities:  If the Covered Entity uses an affiliate’s employee to serve as the Covered Entity’s CISO, NYDFS does not consider the affiliate to be a Third Party Service Provider under the regulations.  Additionally, a Covered Entity adopting an affiliate’s cybersecurity program may do so in whole or in part, as long as the adopted portion meets all of the requirements of the Regulations.  But Covered Entities must evaluate and address in their Risk Assessment any risks presented by affiliates or subsidiaries to the Covered Entity’s Information Systems and Nonpublic Information.
  • Third Party Service Providers: NYDFS explained that the Third Party Service Provider requirements of 23 NYCRR 500.11 permit Covered Entities to conduct a risk assessment regarding the appropriate controls for Third Party Service Providers based on the individual facts and circumstances, and that the requirement is not a “one-size-fits-all solution.”  This appears to provide some flexibility for Third Party Service Providers in the application of controls specifically called out by the rule, such as multi-factor authentication and encryption.

Notice Requirements for Cybersecurity Events

  • Under the Regulations, Covered Entities must provide notice to the Department of Cybersecurity Events “of which notice is required to be provided to any government body, self-regulatory agency or any other supervisory body,” or when it the event “has a reasonable likelihood of materially harming any material part of the normal operation(s) of the Covered Entity.”  NYDFS clarified that this includes reportable data breaches, events involving “material consumer harm,” and even unsuccessful attacks on a Covered Entity.
  • NYDFS emphasized that a Covered Entity’s cybersecurity program must address notice to consumers as a part of its incident response plan.
  • Cybersecurity Events must be reported to NYDFS “as promptly as possible but in no event later than 72 hours from a determination that a reportable Cybersecurity event has occurred.”  NYDFS specified that notices of Cybersecurity Events should, at this time, be sent to the Covered Entity’s normal supervisory staff within NYDFS.  In the near future, notices may be filed through the DFS Web Portal.

Annual Certifications

  • NYDFS stated that each Covered Entity must annually certify its compliance with the Cybersecurity Regulations.  The certification requirement may not be met by an affiliate of the Covered Entity.
  • The first certification is due by February 15, 2018, at it applies to and includes all requirements for which the applicable transitional period has terminated prior to February 15, 2018.  These requirements include implementation of a Cybersecurity Program and Cybersecurity Policy, designation of a Chief Information Security Officer, limitation and periodic review of user access privileges, utilization of qualified cybersecurity personnel and intelligence, and development of a written incident response plan.
  • NYDFS emphasized that the Department expects full compliance with the Regulations, and a Covered Entity may not submit an annual certification unless the entity is in compliance with all applicable requirements at the time of certification.

Effective Continuous Monitoring

  • NYDFS stated that no specific technology is required in order to have an effective continuous monitoring program under 23 NYCRR 500.05; nevertheless, “periodic manual review of logs and firewall configuration” would not be considered effective continuous monitoring.  NYDFS explained that effective continuous monitoring “generally has the ability to continuously, on an ongoing basis, detect changes or activities within a Covered Entity’s Information Systems that may create or indicate the existence of cybersecurity vulnerabilities or malicious activity.”

Note that NYDFS may revise or update the FAQs from time to time, several issues for clarification have not yet been addressed, and Covered Entities should continue to monitor the FAQs for significant changes.