November 23, 2017

November 22, 2017

Subscribe to Latest Legal News and Analysis

November 21, 2017

Subscribe to Latest Legal News and Analysis

November 20, 2017

Subscribe to Latest Legal News and Analysis

New York DFS Publishes FAQs on New Cybersecurity Regulations

As our readers know, New York’s Department of Financial Services (“NY DFS”) released a draft of its new Cybersecurity Regulations on September 13, 2016, and the final version of the regulations went into effect on March 1, 2017 (23 NYCRR 500).  Among other things, the regulations require regulated entities to conduct cyber risk assessments and to develop and implement cybersecurity programs to manage their cyber risk.

Notwithstanding the fanfare surrounding the announcement of these “first-in-the-nation” regulations, there has been significant uncertainty about precisely how the regulations will be interpreted and enforced.  That uncertainty has been increasing with the approach of the August 28 deadline for compliance with the first round of requirements (Section 500.22(a)).

On June 29, 2017, NY DFS took steps to reduce that uncertainty by posting a “Frequently Asked Questions” section about the regulations on its website.  The FAQs seek to clarify some key provisions of these regulations, including provisions regarding reporting requirements and consumer notification triggers.  Some highlights below:

  • Obligation to Report Unsuccessful Cyber Attacks: The FAQs elaborate on the obligation to report “unsuccessful” cybersecurity attacks under Section 500.17(a)(2) (see also Section 500.01, definition of “Cybersecurity Event”). This section requires that financial services companies notify DFS of any “Cybersecurity Events that have a reasonable likelihood of materially harming any material part of the normal operation(s) of the Covered Entity” (“Cybersecurity Event” is defined as any act or attempt “successful or unsuccessful” to gain unauthorized access to an information system).  The FAQs explain that regulated entities should notify DFS of unsuccessful attacks that appear “particularly significant” based on the risks the company faces and considering the measures and resources deployed to respond to the attack, including whether any response required “exceptional attention by senior personnel.” The FAQs note that the purpose of this requirement is to promote information sharing, and not to penalize companies for honest, good faith judgments.

  • Continuous Monitoring” Requirement: The FAQs also attempt to clarify the “continuous monitoring” requirement of Section 500.05. The regulations require regulated entities to implement monitoring and testing, including “continuous monitoring,” designed to assess the effectiveness of their cybersecurity programs. The FAQs explain that this rule requires tools, controls, and systems to detect changes or activities that may create or indicate the existence of cybersecurity vulnerabilities or malicious activity on an ongoing basis.  While the FAQs make clear that “[t]here is no specific technology that is required to be used” to meet this requirement, a manual review of logs and systems on a periodic basis would not be considered effective continuous monitoring under the regulations.

  • Obligation to Report Cyber Events Involving Consumer Harm: The FAQs also make clear that under Section 500.17(a), covered entities are required to give notice to DFS when a cybersecurity event involves consumer harm, including disclosure of consumers’ personal information.  Specifically, the regulations require notice to DFS whenever “notice is required to be provided to any government body, self-regulatory agency or any other supervisory body.”  The FAQs explain that this requirement “includes many Cybersecurity Events that involve consumer harm, whether actual or potential.”  For example, “New York’s information security breach and notification law [General Business Law Section 899-aa], requires notices to affected consumers and to certain government bodies following a data breach. Under [Section] 500.17(a)(1), when such a data breach constitutes a Cybersecurity Event, it must also be reported to [DFS].”

  • Mechanics of Filing Notices and Certifications: The FAQs provide that required notices under the regulations can be submitted electronically at the filing portal on the following DFS website:  http://www.dfs.ny.gov/about/cybersecurity.htm.

For more on the FAQs, see the DFS website here.

© 2017 Covington & Burling LLP

TRENDING LEGAL ANALYSIS


About this Author

Michael Nonaka, Covington Burling, compliance enforcement attorney, transactional matters lawyer
Partner

Michael Nonaka advises banks, financial services providers, and non-bank companies on a broad range of compliance, enforcement, transactional, and legislative matters. He has worked extensively with federal and state banking agencies and with other federal agencies authorized to regulate financial services. 

Mr. Nonaka has significant experience advising clients on issues arising under financial services legislation such as the Dodd-Frank Wall Street Reform and Consumer Protection Act. He has advised clients on, among other areas in Dodd-Frank,...

202 662 5727
Micaela R.H. McMurrough, Covington, Data privacy Lawyer, Securities litigation Attorney
Special Counsel

Micaela McMurrough is a special counsel in Covington’s Litigation and Data Privacy and Cybersecurity practice groups. She has represented clients in high-stakes antitrust, patent, and securities litigation and other complex commercial litigation matters. She also advises clients on cybersecurity and national security matters.

In 2016, Ms. McMurrough was selected as one of thirteen Madison Policy Forum Military-Business Cybersecurity Fellows. She regularly engages with government, military, and business leaders in the cybersecurity industry in an effort to develop national strategies for complex cyber issues and policy challenges. Ms. McMurrough previously served as a United States Presidential Leadership Scholar, principally responsible for launching a program to familiarize federal judges with various aspects of the U.S. national security structure and national intelligence community.

212-841-1242
Jordan S. Joachim, Covington Law Firm, New York, Litigation Associate Lawyer, Corporate Investigations Attorney
Associate

Jordan Joachim is a litigation associate in the firm’s New York office.

Education

New York University School of Law, J.D., 2015

  • magna cum laude

  • Order of the Coif

  • New York University Law Review, Articles Editor

Franklin & Marshall College, B.A., 2012

  • magna cum laude

  • Phi...

212-841-1086