Facing the Known Unknown: Advice to Banks and Other Financial Institutions Preparing for Compliance with New York’s New Cybersecurity Regulation
October 3, 2017
As of August 28th, New York-based banks, financial institutions, and other so-designated “Covered Entities” are required to comply with New York’s Cybersecurity Regulation, 23 NYCRR Part 500 (the “Cybersecurity Regulation”). New York’s Department of Financial Services (“DFS”) promulgated the Cybersecurity Regulation to address the threat cyberattacks pose to financial institutions and their customers. The Cybersecurity Regulation requires Covered Entities to conduct an internal cyberrisk assessment and to install or develop programs which address any potential cyberrisk. The Cybersecurity Regulation also introduces new reporting requirements for Covered Entities in instances of cyberattacks – whether successful or not. However, while Covered Entities must comply with the Cybersecurity Regulation, and certify such compliance as of February 15, 2018, numerous ambiguities regarding the Cybersecurity Regulation remained. DFS recently sought to clear up some of this confusion by issuing FAQs.
For one, DFS sought to clarify the extent to which the Cybersecurity Regulation impacted today’s banking environment. How far would the jurisdiction of the Cybersecurity Regulation reach when non-New York and non-United States banks have branches in states and countries beyond their home base?
Now clear is that New York branches of non-New York banks fall under the aegis of the Cybersecurity Regulation. The FAQs annunciated that New York branches of out-of-state domestic banks will be required to comply with the Cybersecurity Regulation. Further, out-of-country banks with New York branches, agencies, and representative offices are also subject to the Cybersecurity Regulation. The FAQs also chipped away at some of the confusion related to reporting. The Cybersecurity Regulation requires Covered Entities to report to DFS any cyberattacks which pose a substantial threat, even if unsuccessful. In what appears to be bank-friendly news, DFS made clear that what constitutes such a reportable, unsuccessful attack is up to the Covered Entity’s “good faith judgment.” Such judgment depends on understanding what risks such Covered Entity faces and is, therefore, to some extent specific to each Covered Entity.
DFS’ reporting commentary should provide additional assurance to banks, financial institutions, and other Covered Entities. While Covered Entities are expected to report such reportable violations within 72 hours, including to a soon-to-be premiered DFS secured portal, DFS noted that the thrust behind this aspect of the Cybersecurity Regulation is not to penalize honest, good-faith judgments about which unsuccessful attacks to report. Hopefully, Covered Entities can anticipate that DFS will cast a more lenient glance to questions on appropriate reporting.
Covered Entities should note, though, that the Cybersecurity Regulation anticipates broad reporting of cybersecurity attacks. Covered Entities are expected to provide notice to any consumers affected by cybersecurity attacks. Such notice should be part of the anticipated risk-compliance plan, and, therefore, part of the compliance each Covered Entity certifies to DFS in February.
Additionally, DFS clarified that Covered Entities exempt under § 500.19 (essentially smaller institutions) from certain aspects of the Cybersecurity Regulation are still on the hook for the remainder of the Cybersecurity Regulation’s obligations. Under this exemption, applicable Covered Entities are exempt from certain of the more onerous aspects of the Cybersecurity Regulation, including designating a Chief Information Security Officer, conducting Penetration Testing or audit trails, or developing internal procedures to ensure secured development practices for in-house developed applications and assessing the security of externally developed applications. Nevertheless, these Covered Entities must comply with the remainder of the Cybersecurity Regulation.
DFS’ newly issued guidance suggests that it recognizes the infancy of the Cybersecurity Regulation and, relatedly, their review mechanisms. However, subject banks and financial institutions are expected to have the requisite mechanisms in place to respond to cyberattacks. These entities will have to certify compliance to DFS early in 2018.
If you have any questions, please do not hesitate to contact one of our banking partners.