As our readers know, New York’s Department of Financial Services (“NY DFS”) released a draft of its new Cybersecurity Regulations on September 13, 2016, and the final version of the regulations went into effect on March 1, 2017 (23 NYCRR 500). Among other things, the regulations require regulated entities to conduct cyber risk assessments and to develop and implement cybersecurity programs to manage their cyber risk.
Notwithstanding the fanfare surrounding the announcement of these “first-in-the-nation” regulations, there has been significant uncertainty about precisely how the regulations will be interpreted and enforced. That uncertainty has been increasing with the approach of the August 28 deadline for compliance with the first round of requirements (Section 500.22(a)).
On June 29, 2017, NY DFS took steps to reduce that uncertainty by posting a “Frequently Asked Questions” section about the regulations on its website. The FAQs seek to clarify some key provisions of these regulations, including provisions regarding reporting requirements and consumer notification triggers. Some highlights below:
- Obligation to Report Unsuccessful Cyber Attacks: The FAQs elaborate on the obligation to report “unsuccessful” cybersecurity attacks under Section 500.17(a)(2) (see also Section 500.01, definition of “Cybersecurity Event”). This section requires that financial services companies notify DFS of any “Cybersecurity Events that have a reasonable likelihood of materially harming any material part of the normal operation(s) of the Covered Entity” (“Cybersecurity Event” is defined as any act or attempt “successful or unsuccessful” to gain unauthorized access to an information system). The FAQs explain that regulated entities should notify DFS of unsuccessful attacks that appear “particularly significant” based on the risks the company faces and considering the measures and resources deployed to respond to the attack, including whether any response required “exceptional attention by senior personnel.” The FAQs note that the purpose of this requirement is to promote information sharing, and not to penalize companies for honest, good faith judgments.
- “Continuous Monitoring” Requirement: The FAQs also attempt to clarify the “continuous monitoring” requirement of Section 500.05. The regulations require regulated entities to implement monitoring and testing, including “continuous monitoring,” designed to assess the effectiveness of their cybersecurity programs. The FAQs explain that this rule requires tools, controls, and systems to detect changes or activities that may create or indicate the existence of cybersecurity vulnerabilities or malicious activity on an ongoing basis. While the FAQs make clear that “[t]here is no specific technology that is required to be used” to meet this requirement, a manual review of logs and systems on a periodic basis would not be considered effective continuous monitoring under the regulations.
- Obligation to Report Cyber Events Involving Consumer Harm: The FAQs also make clear that under Section 500.17(a), covered entities are required to give notice to DFS when a cybersecurity event involves consumer harm, including disclosure of consumers’ personal information. Specifically, the regulations require notice to DFS whenever “notice is required to be provided to any government body, self-regulatory agency or any other supervisory body.” The FAQs explain that this requirement “includes many Cybersecurity Events that involve consumer harm, whether actual or potential.” For example, “New York’s information security breach and notification law [General Business Law Section 899-aa], requires notices to affected consumers and to certain government bodies following a data breach. Under [Section] 500.17(a)(1), when such a data breach constitutes a Cybersecurity Event, it must also be reported to [DFS].”
- Mechanics of Filing Notices and Certifications: The FAQs provide that required notices under the regulations can be submitted electronically at the filing portal on the following DFS website: http://www.dfs.ny.gov/about/cybersecurity.htm.
For more on the FAQs, see the DFS website here.