New York DFS Publishes FAQs on New Cybersecurity Regulations
Monday, July 17, 2017
Cyber Crime, New York DFS Publishes FAQs on New Cybersecurity Regulations
Print Mail Download i

As our readers know, New York’s Department of Financial Services (“NY DFS”) released a draft of its new Cybersecurity Regulations on September 13, 2016, and the final version of the regulations went into effect on March 1, 2017 (23 NYCRR 500).  Among other things, the regulations require regulated entities to conduct cyber risk assessments and to develop and implement cybersecurity programs to manage their cyber risk.

Notwithstanding the fanfare surrounding the announcement of these “first-in-the-nation” regulations, there has been significant uncertainty about precisely how the regulations will be interpreted and enforced.  That uncertainty has been increasing with the approach of the August 28 deadline for compliance with the first round of requirements (Section 500.22(a)).

On June 29, 2017, NY DFS took steps to reduce that uncertainty by posting a “Frequently Asked Questions” section about the regulations on its website.  The FAQs seek to clarify some key provisions of these regulations, including provisions regarding reporting requirements and consumer notification triggers.  Some highlights below:

  • Obligation to Report Unsuccessful Cyber Attacks: The FAQs elaborate on the obligation to report “unsuccessful” cybersecurity attacks under Section 500.17(a)(2) (see also Section 500.01, definition of “Cybersecurity Event”). This section requires that financial services companies notify DFS of any “Cybersecurity Events that have a reasonable likelihood of materially harming any material part of the normal operation(s) of the Covered Entity” (“Cybersecurity Event” is defined as any act or attempt “successful or unsuccessful” to gain unauthorized access to an information system).  The FAQs explain that regulated entities should notify DFS of unsuccessful attacks that appear “particularly significant” based on the risks the company faces and considering the measures and resources deployed to respond to the attack, including whether any response required “exceptional attention by senior personnel.” The FAQs note that the purpose of this requirement is to promote information sharing, and not to penalize companies for honest, good faith judgments.

  • Continuous Monitoring” Requirement: The FAQs also attempt to clarify the “continuous monitoring” requirement of Section 500.05. The regulations require regulated entities to implement monitoring and testing, including “continuous monitoring,” designed to assess the effectiveness of their cybersecurity programs. The FAQs explain that this rule requires tools, controls, and systems to detect changes or activities that may create or indicate the existence of cybersecurity vulnerabilities or malicious activity on an ongoing basis.  While the FAQs make clear that “[t]here is no specific technology that is required to be used” to meet this requirement, a manual review of logs and systems on a periodic basis would not be considered effective continuous monitoring under the regulations.

  • Obligation to Report Cyber Events Involving Consumer Harm: The FAQs also make clear that under Section 500.17(a), covered entities are required to give notice to DFS when a cybersecurity event involves consumer harm, including disclosure of consumers’ personal information.  Specifically, the regulations require notice to DFS whenever “notice is required to be provided to any government body, self-regulatory agency or any other supervisory body.”  The FAQs explain that this requirement “includes many Cybersecurity Events that involve consumer harm, whether actual or potential.”  For example, “New York’s information security breach and notification law [General Business Law Section 899-aa], requires notices to affected consumers and to certain government bodies following a data breach. Under [Section] 500.17(a)(1), when such a data breach constitutes a Cybersecurity Event, it must also be reported to [DFS].”

  • Mechanics of Filing Notices and Certifications: The FAQs provide that required notices under the regulations can be submitted electronically at the filing portal on the following DFS website:  http://www.dfs.ny.gov/about/cybersecurity.htm.

For more on the FAQs, see the DFS website here.

© 2024 Covington & Burling LLP

Current Legal Analysis

More from Covington & Burling LLP

Standing Issues in Data Breach Litigation: An Overview
by: Priscilla Fasoro , Lauren Wiseman
Financial Agencies Release Joint Statement on Innovative Efforts to Combat Money Laundering and Terrorist Financing
by: Lucille C. Bartholomew
Senate Confirms Kraninger as BCFP Director
by: Luis Urbina
FTC Solicits Public Comment on Identity Theft Detection Rules
by: S. Burr Eckstut
Significant FDA Digital Health Policy Development for Prescription Drug Sponsors
by: Mingham Ji , Christina G. Kuhn
First Significant Pay-to-Play Legislation for the District of Columbia Approved by D.C. Council
by: Kevin Glandon
FTC Settles with PR Firm and Publisher Over Social Media Endorsements
by: Inside Privacy Blog at Covington and Burling
Senate Testimony Highlights Tensions in BSA/AML Reform Efforts as Lawmakers Consider Bipartisan Legislation
by: Sam Adriance
Reprieve in U.S.-China Trade Tensions: U.S. Tariffs on $200 Billion in Chinese Imports to Stay at 10 Percent for 90 Days; China to Purchase U.S. Goods
by: Christopher Adams , John Veroneau
AI Update: FCC Hosts Inaugural Forum on Artificial Intelligence
by: Thomas Parisi

Upcoming Legal Education Events

 

NLR Logo

We collaborate with the world's leading lawyers to deliver news tailored for you. Sign Up to receive our free e-Newsbulletins

 

Sign Up for e-NewsBulletins