New York Department of Financial Services Issues Additional Cybersecurity FAQs
On December 12, 2017, the New York Department of Financial Services (DFS) issued four additional frequently asked questions (FAQs) relating to its new cybersecurity regulation (Part 500).1 The regulation, which became effective on March 1, 2017 and has garnered widespread attention, requires submission of the first annual certification of compliance to the DFS by February 15, 2018. The four new FAQs supplement an earlier release of FAQs in September 2017.
As previously discussed (here and here), Part 500 requires Covered Entities2 to adopt and maintain a cybersecurity program and corresponding cybersecurity policies and procedures. Part 500 is believed to be the first state effort of its kind regulating cybersecurity of financial services firms. Although in some ways Part 500 is similar to federal requirements and guidance on cybersecurity for banks and securities firms, it differs in details and imposes substantial reporting obligations. Covered Entities are now required to be in compliance with the majority of the regulation's requirements and, after the submission of certifications for the first time in February 2018, additional requirements of Part 500 phase in between March 1, 2018 and March 1, 2019.
Covered Entities that are implementing measures to comply with Part 500 and preparing certifications for submission will likely find the new FAQs instructive. For example, new FAQ #2 and its response clarifies that Covered Entities may not rely solely on certificates of compliance received from Third Party Service Providers3 to comply with the requirements of Section 500.11(a)(3). The DFS clarifies that additional due diligence of third parties is required to "assess the risks each Third Party Service Provider poses to [the Covered Entity's] data and systems and effectively address those risks." Although this guidance is consistent with the existing federal expectations for managing risks associated with third-party relationships, it may alter certain Covered Entities' approaches when preparing to submit annual certifications of compliance to the DFS. New FAQ #2 clarifies that reliance on sub-certifications is limited and, on their own, is insufficient to satisfy DFS expectations.
The four new FAQs are reproduced below.
1. Assuming there is no continuous monitoring under 23 NYCRR Section 500.05, does the Department require that a Covered Entity complete a Penetration Test and vulnerability assessments by March 1, 2018?
The Regulation requires Covered Entities to have a plan in place that provides for Penetration Testing to be done as appropriate to address the risks of the Covered Entity. Such plan must encompass Penetration Testing at least annually and bi-annual vulnerability assessments, but the first annual Penetration Testing and first vulnerability assessment need not have been concluded before March 1, 2018 under Section 500.05. The Department expects all institutions with no continuous monitoring to complete robust Penetration Testing and vulnerability assessment in a timely manner as they are a crucial component of a cybersecurity program.
2. If Covered Entity A utilizes Covered Entity B (not related to Covered Entity A) as a Third Party Service Provider, and Covered Entity B provides Covered Entity A with evidence of its Certification of Compliance with NYSDFS Cybersecurity Regulations, could that be considered adequate due diligence under the due diligence process required by Section 500.11(a)(3)?
No. The Department emphasizes the importance of a thorough due diligence process in evaluating the cybersecurity practices of a Third Party Service Provider. Solely relying on the Certification of Compliance will not be adequate due diligence. Covered Entities must assess the risks each Third Party Service Provider poses to their data and systems and effectively address those risks. The Department has provided a two year transitional period to address these risks and expects Covered Entities to have completed a thorough due diligence process on all Third Party Service Providers by March 1, 2019.
3. Does a Covered Entity need to amend its Notice of Exemption in the event of changes after the initial submission (e.g., name changes or changes to the applicable exemption(s))?
If there are changes, the Covered Entity should submit a new Notice of Exemption, which would not be considered an amendment to the original submission. For example, if a Covered Entity originally submitted a Notice of Exemption stating that it qualified for exemptions under Sections 500.19(b) and 500.19(a)(1), but it now only qualifies for a Section 500.19(a)(1) exemption, then the Covered Entity must submit a new Notice of Exemption with the correct information.
The Department also emphasizes that Notices of Exemption should be filed electronically via the DFS Web Portal http://www.dfs.ny.gov/about/cybersecurity. The Covered Entity should utilize the account that they used to file the original Notice of Exemption or create a new account if an individual filing was previously not made. Filings made through the DFS Web Portal are preferred to alternative filing mechanisms because the DFS Web Portal provides a secure reporting tool to facilitate compliance with the filing requirements of 23 NYCRR Part 500.
4. Should a Covered Entity send supporting documentation along with the Certification of Compliance?
The Covered Entity must submit the compliance certification to the Department and is not required to submit explanatory or additional materials with the certification. The certification is intended as a stand-alone document required by the regulation. The Department also expects that the Covered Entity maintains the documents and records necessary that support the certification, should the Department request such information in the future. Likewise, under 23 NYCRR Section 500.17, to the extent a Covered Entity has identified areas, systems, or processes that require material improvement, updating or redesign, the Covered Entity must document such efforts and maintain such schedules and documentation for inspection during the examination process or as otherwise requested by the Department.4
* * *
Covered Entities interested in assistance with implementing measures to comply with Part 500 are encouraged to contact any of the authors listed below or your Arnold & Porter Kaye Scholer contact. The firm's financial services team would be pleased to assist with any questions you may have about Part 500, its certification, or cybersecurity compliance more broadly.
© 2017 Arnold & Porter Kaye Scholer LLP. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.
New York State-chartered or licensed banks, insurance companies, licensed lenders, check cashers, money transmitters, and their holding companies, and other firms that are licensed by, operating under approval orders of, or otherwise subject to regulation by the DFS are subject to Part 500. Part 500 does not purport to treat federally chartered banks or federal branches of non-US banks licensed by the Office of the Comptroller of the Currency (OCC) as Covered Entities. Part 500 directly regulates Covered Entities that operate under DFS licenses or approvals, and also has an indirect impact on their internal and third-party vendors and service providers, as well as affiliates that support or share data platforms and systems with DFS-regulated firms.
"Third Party Service Provider(s) means a Person that (i) is not an Affiliate of the Covered Entity, (ii)provides services to the Covered Entity, and (iii) maintains, processes or otherwise is permitted access to Nonpublic Information through its provision of services to the Covered Entity." 23 N.Y.C.R.R. § 500.01(n).
Frequently Asked Questions Regarding 23 NYCRR 500 (Dec. 12, 2017).