New York Department of Financial Services Issues New Cybersecurity Guidance
On October 22, 2021, the New York Department of Financial Services (NY DFS) issued guidance regarding the adoption of an affiliate’s cybersecurity program. This guidance is intended to apply to all entities regulated by the NY DFS.
Under New York’s Cybersecurity Regulation, 23 NYCRR Part 500, any entity (a “Covered Entity”) regulated by the NY DFS must maintain a risk-based cybersecurity program that protects its information systems and nonpublic data. Since the issuance of this regulation in 2017, this regulation permitted Covered Entities to adopt the cybersecurity program of an affiliate—meaning a NY DFS-regulated department within a larger organization that is not NY DFS-regulated has been allowed to adopt the cybersecurity program of its parent organization.
Although, under the new guidance, this practice has not been restricted, NY DFS clarified that “the Covered Entity may not delegate responsibility for compliance with the Cybersecurity Regulation to an affiliate” — compliance is the sole responsibility of the Covered Entity.
Further, NY DFS must be allowed to examine the parts of the affiliate program that the Covered Entity adopts and must be provided with “documentation including the affiliate’s cybersecurity policies and procedures, risk assessments, penetration testing and vulnerability assessment results, and any third party audits that relate to the adopted portions of the cybersecurity program of the affiliate.” Entering into a binding contractual agreement with the affiliate who is providing the adopted program may assist in facilitating this process.
As such, any Covered Entity that intends to adopt an affiliate’s cybersecurity program should:
apprise their company of their newly clarified liability with regard to their cybersecurity program and the possibility of DFS review,
review the affiliate program to ensure compliance with the requirements of 23 NYCRR Part 500 and that all recommended practices by DFS have been seriously considered,
establish an internal procedure between their company and the affiliate company for documentation of compliance with the requirements of 23 NYCRR Part 500.2(d), and
consider entering into contractual agreements with their affiliates to ensure documentation and data compliance, as well as document retrieval processes.
If you have any questions or concerns regarding this new guidance, please contact Kennedy Sutherland.