The New York State Department of Financial Services (“NYS DFS”) Cybersecurity Regulations: We are all connected.

Written by Steve Fiergang, Esq., General Counsel, Layer 8 Security

Welcome to the future of cybersecurity: not only in the financial services, banking, and insurance sectors but for all of their third-party service providers (read: You); cyber regulations are in effect.

By now, most of you in the worlds of finance and insurance have been introduced to the recent NYS DFS Regulations. As you will see, these regulations extend far beyond state boundaries and lines of business.   Rather than proffering a construct for another “voluntary” framework to accurately gauge cybersecurity risk, New York boldly puts forth a set of minimum standards by which to judge the thoroughness of each entity’s information security program.  While there are potentially high costs associated with adhering to these regulations that will be imposed upon companies both locally and nation-wide, we believe this is a significant advancement for our country from the perspective of both cyber and financial security.

With the rollout of these regulations scheduled to occur in less than 180 days, here are the five questions (and answers) that should be on the minds of all businesses in the Philadelphia region regardless of whether you work in banking, financial industry or insurance:

Q:  How does this regulation affect my business?

A.:  Every company operates within an ecosphere of interrelated technology dependence and connection.  A significant component of the regulations appear in Section 500.11 Third Party Service Provider Security Policy.  More and more, looking up and down the supply chain, all companies’ IT systems and architecture are connected.  A breach anywhere within the chain can immediately corrupt a third-party provider, supplier or customer.  True resilience can only be achieved when every company, large and small, implements and maintains a personally tailored cybersecurity program.

  1. How do the recent NYS DFS regulations impact companies that have clients in New York?
  2. This question arises as a crossover from individual State Breach Notification Laws, which often require companies to notify those who have been breached whenever any customer of a company resides in its State.  In this case, the regulations speak specifically to covered entities, not customers.

Q:  How do these regulations affect an entity that is domiciled out of NY State but has a satellite office within?

A:  The Regulations apply to “any Person operating or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the banking law, the insurance law or the financial services law”.  The definition of a covered entity is responsive; if the satellite office is currently required to operate under the authorization of the NYS DFS, then the regulations apply.

Q.:  Are related companies required to develop and implement separate cybersecurity programs?

A.:  Regarding affiliated or sister companies, the regulations make clear that any affiliate may adopt a cybersecurity program maintained by its related covered entity, so long as the cybersecurity program covers the affiliate’s information systems and nonpublic information and meets the requirements of the regulations.

Q: Will other states echo these regulations and if so, what are the implications associated with such a trend?

A:  New York is the country’s financial center, and as such, it is logical that they take the lead.  While the future has yet to be written, this is an excellent jumping off point for Federal review.  The most logical and coordinated approach would require Federal regulation.  In its absence, our hope is that NYS DFS Regulations become a model that other states replicate.  The worst-case scenario is one where a patchwork of poorly matched regulations and guidance from state-to-state leave companies in the lurch as to how best to move forward.


©2020 PACT All Rights Reserved