With the first compliance deadline now less than two months away, the New York Department of Financial Services (NYDFS) has provided additional clarity concerning its new Cybersecurity Requirements for Financial Services Companies (the “Cybersecurity Regulation”) by publishing an update to previously issued Frequently Asked Questions.

We reported on the forthcoming Cybersecurity Regulation in January and February.

The new FAQs address the applicability of the Cybersecurity Regulation to three different types of entities. [1]

  • New York Branches of Out-of-State Banks. Pursuant to a 1997 Nationwide Cooperative Agreement among state banking regulators, NYDFS “will defer to the home state supervisor for supervision of New York branches.” However, NYDFS “maintains the right to examine branches located in New York” as they still must comply with New York law. Accordingly, NYDFS “strongly encourages all financial institutions, including New York branches of out-of-state domestic banks” to adopt safeguards and protections consistent with the Cybersecurity Regulation.
  • Subsidiaries and Other Affiliates. A Covered Entity must include Affiliates in its Risk Assessment to determine whether they present risks to the Covered Entity’s Information Systems or Nonpublic Information. If so, those risks must be addressed in the Covered Entity’s cybersecurity program and written cybersecurity policy.
  • Exempt Covered Entities. Because the exemptions set forth in Section 500.19 of the Cybersecurity Regulation are “limited in scope,” exempt Covered Entities must still comply with certain provisions of the Cybersecurity Regulation. For example (not listed in the FAQs), a Covered Entity that is exempt under Section 500.19(a) must still conduct a Risk Assessment that informs its cybersecurity program, written cybersecurity policy, access privileges, Third Party Service Provider security policy and data retention practices. Such an exempt Covered Entity also would be required to notify NYDFS of covered Cybersecurity Events and annually certify its compliance to the Superintendent.

We will continue to monitor and provide updates regarding additional NYDFS guidance or interpretations relevant to implementation of the Cybersecurity Regulation.

[1] Note: capitalized terms not defined below are defined in the Cybersecurity Regulation.