December 15, 2019

December 13, 2019

Subscribe to Latest Legal News and Analysis

December 12, 2019

Subscribe to Latest Legal News and Analysis

New York DFS Publishes FAQs on New Cybersecurity Regulations

As our readers know, New York’s Department of Financial Services (“NY DFS”) released a draft of its new Cybersecurity Regulations on September 13, 2016, and the final version of the regulations went into effect on March 1, 2017 (23 NYCRR 500).  Among other things, the regulations require regulated entities to conduct cyber risk assessments and to develop and implement cybersecurity programs to manage their cyber risk.

Notwithstanding the fanfare surrounding the announcement of these “first-in-the-nation” regulations, there has been significant uncertainty about precisely how the regulations will be interpreted and enforced.  That uncertainty has been increasing with the approach of the August 28 deadline for compliance with the first round of requirements (Section 500.22(a)).

On June 29, 2017, NY DFS took steps to reduce that uncertainty by posting a “Frequently Asked Questions” section about the regulations on its website.  The FAQs seek to clarify some key provisions of these regulations, including provisions regarding reporting requirements and consumer notification triggers.  Some highlights below:

  • Obligation to Report Unsuccessful Cyber Attacks: The FAQs elaborate on the obligation to report “unsuccessful” cybersecurity attacks under Section 500.17(a)(2) (see also Section 500.01, definition of “Cybersecurity Event”). This section requires that financial services companies notify DFS of any “Cybersecurity Events that have a reasonable likelihood of materially harming any material part of the normal operation(s) of the Covered Entity” (“Cybersecurity Event” is defined as any act or attempt “successful or unsuccessful” to gain unauthorized access to an information system).  The FAQs explain that regulated entities should notify DFS of unsuccessful attacks that appear “particularly significant” based on the risks the company faces and considering the measures and resources deployed to respond to the attack, including whether any response required “exceptional attention by senior personnel.” The FAQs note that the purpose of this requirement is to promote information sharing, and not to penalize companies for honest, good faith judgments.

  • Continuous Monitoring” Requirement: The FAQs also attempt to clarify the “continuous monitoring” requirement of Section 500.05. The regulations require regulated entities to implement monitoring and testing, including “continuous monitoring,” designed to assess the effectiveness of their cybersecurity programs. The FAQs explain that this rule requires tools, controls, and systems to detect changes or activities that may create or indicate the existence of cybersecurity vulnerabilities or malicious activity on an ongoing basis.  While the FAQs make clear that “[t]here is no specific technology that is required to be used” to meet this requirement, a manual review of logs and systems on a periodic basis would not be considered effective continuous monitoring under the regulations.

  • Obligation to Report Cyber Events Involving Consumer Harm: The FAQs also make clear that under Section 500.17(a), covered entities are required to give notice to DFS when a cybersecurity event involves consumer harm, including disclosure of consumers’ personal information.  Specifically, the regulations require notice to DFS whenever “notice is required to be provided to any government body, self-regulatory agency or any other supervisory body.”  The FAQs explain that this requirement “includes many Cybersecurity Events that involve consumer harm, whether actual or potential.”  For example, “New York’s information security breach and notification law [General Business Law Section 899-aa], requires notices to affected consumers and to certain government bodies following a data breach. Under [Section] 500.17(a)(1), when such a data breach constitutes a Cybersecurity Event, it must also be reported to [DFS].”

  • Mechanics of Filing Notices and Certifications: The FAQs provide that required notices under the regulations can be submitted electronically at the filing portal on the following DFS website:

For more on the FAQs, see the DFS website here.

© 2019 Covington & Burling LLP


About this Author

Michael Nonaka, Covington Burling, data and cybersecurity lawyer

Michael Nonaka is co-chair of the financial institutions group and advises banks, financial services providers, and non-bank companies on a broad range of compliance, enforcement, transactional, and legislative matters. He has worked extensively with federal and state banking agencies and with other federal agencies authorized to regulate financial services. Mr. Nonaka also plays an active role in the firm’s Fintech Initiative and works with a number of banks, lending companies, money transmitters, payments firms, technology companies, and service providers on innovative...

202 662 5727
Micaela R.H. McMurrough, Covington, Data privacy Lawyer
Special Counsel

Micaela McMurrough has represented clients in high-stakes antitrust, patent, trade secrets, contract, and securities litigation, and other complex commercial litigation matters. Ms. McMurrough also represents and advises domestic and international clients on cybersecurity and data privacy issues, including cybersecurity investigations and cyber incident response. Ms. McMurrough has advised clients on data breaches and other network intrusions, conducted cybersecurity investigations, and advised clients regarding evolving cybersecurity regulations and cybersecurity norms in the context of international law.

In 2016, Ms. McMurrough was selected as one of thirteen Madison Policy Forum Military-Business Cybersecurity Fellows. She regularly engages with government, military, and business leaders in the cybersecurity industry in an effort to develop national strategies for complex cyber issues and policy challenges. Ms. McMurrough previously served as a United States Presidential Leadership Scholar, principally responsible for launching a program to familiarize federal judges with various aspects of the U.S. national security structure and national intelligence community.

Prior to her legal career, Ms. McMurrough served in the Military Intelligence Branch of the United States Army. She served as Intelligence Officer of a 1,200-member maneuver unit conducting combat operations in Afghanistan and was awarded the Bronze Star.

Jordan S. Joachim, Covington, Litigation attorney

Jordan Joachim is a litigation associate in the firm’s New York office.


New York University School of Law, J.D., 2015

  • magna cum laude

  • Order of the Coif

  • New York University Law Review, Articles Editor

Franklin & Marshall College, B.A., 2012

  • magna cum laude

  • Phi...