As our readers know, New York’s Department of Financial Services (“NY DFS”) released a draft of its new Cybersecurity Regulations on September 13, 2016, and the final version of the regulations went into effect on March 1, 2017 (23 NYCRR 500).  Among other things, the regulations require regulated entities to conduct cyber risk assessments and to develop and implement cybersecurity programs to manage their cyber risk.

Notwithstanding the fanfare surrounding the announcement of these “first-in-the-nation” regulations, there has been significant uncertainty about precisely how the regulations will be interpreted and enforced.  That uncertainty has been increasing with the approach of the August 28 deadline for compliance with the first round of requirements (Section 500.22(a)).

On June 29, 2017, NY DFS took steps to reduce that uncertainty by posting a “Frequently Asked Questions” section about the regulations on its website.  The FAQs seek to clarify some key provisions of these regulations, including provisions regarding reporting requirements and consumer notification triggers.  Some highlights below:

  • Obligation to Report Unsuccessful Cyber Attacks: The FAQs elaborate on the obligation to report “unsuccessful” cybersecurity attacks under Section 500.17(a)(2) (see also Section 500.01, definition of “Cybersecurity Event”). This section requires that financial services companies notify DFS of any “Cybersecurity Events that have a reasonable likelihood of materially harming any material part of the normal operation(s) of the Covered Entity” (“Cybersecurity Event” is defined as any act or attempt “successful or unsuccessful” to gain unauthorized access to an information system).  The FAQs explain that regulated entities should notify DFS of unsuccessful attacks that appear “particularly significant” based on the risks the company faces and considering the measures and resources deployed to respond to the attack, including whether any response required “exceptional attention by senior personnel.” The FAQs note that the purpose of this requirement is to promote information sharing, and not to penalize companies for honest, good faith judgments.
  • Continuous Monitoring” Requirement: The FAQs also attempt to clarify the “continuous monitoring” requirement of Section 500.05. The regulations require regulated entities to implement monitoring and testing, including “continuous monitoring,” designed to assess the effectiveness of their cybersecurity programs. The FAQs explain that this rule requires tools, controls, and systems to detect changes or activities that may create or indicate the existence of cybersecurity vulnerabilities or malicious activity on an ongoing basis.  While the FAQs make clear that “[t]here is no specific technology that is required to be used” to meet this requirement, a manual review of logs and systems on a periodic basis would not be considered effective continuous monitoring under the regulations.
  • Obligation to Report Cyber Events Involving Consumer Harm: The FAQs also make clear that under Section 500.17(a), covered entities are required to give notice to DFS when a cybersecurity event involves consumer harm, including disclosure of consumers’ personal information.  Specifically, the regulations require notice to DFS whenever “notice is required to be provided to any government body, self-regulatory agency or any other supervisory body.”  The FAQs explain that this requirement “includes many Cybersecurity Events that involve consumer harm, whether actual or potential.”  For example, “New York’s information security breach and notification law [General Business Law Section 899-aa], requires notices to affected consumers and to certain government bodies following a data breach. Under [Section] 500.17(a)(1), when such a data breach constitutes a Cybersecurity Event, it must also be reported to [DFS].”
  • Mechanics of Filing Notices and Certifications: The FAQs provide that required notices under the regulations can be submitted electronically at the filing portal on the following DFS website:  http://www.dfs.ny.gov/about/cybersecurity.htm.

For more on the FAQs, see the DFS website here.

Photo of Mike Nonaka Mike Nonaka

Michael Nonaka is a partner in the firm’s Financial Institutions practice group. He represents banks and other financial institutions on a wide variety of bank regulatory, enforcement, legislative and policy issues.  Mr. Nonaka also is co-chair of the firm’s Fintech Initiative and works…

Michael Nonaka is a partner in the firm’s Financial Institutions practice group. He represents banks and other financial institutions on a wide variety of bank regulatory, enforcement, legislative and policy issues.  Mr. Nonaka also is co-chair of the firm’s Fintech Initiative and works with a number of banks, lending companies, money transmitters, payments firms, technology companies, and service providers on innovative technologies such as big data, blockchain and related technologies, bitcoin and other virtual currencies, same day payments, and online lending.

Photo of Micaela McMurrough Micaela McMurrough

Micaela McMurrough has represented clients in high-stakes antitrust, patent, trade secrets, contract, and securities litigation, and other complex commercial litigation matters, and serves as co-chair of Covington’s global and multi-disciplinary Internet of Things (IoT) group. She also represents and advises domestic and international…

Micaela McMurrough has represented clients in high-stakes antitrust, patent, trade secrets, contract, and securities litigation, and other complex commercial litigation matters, and serves as co-chair of Covington’s global and multi-disciplinary Internet of Things (IoT) group. She also represents and advises domestic and international clients on cybersecurity and data privacy issues, including cybersecurity investigations and cyber incident response. Micaela has advised clients on data breaches and other network intrusions, conducted cybersecurity investigations, and advised clients regarding evolving cybersecurity regulations and cybersecurity norms in the context of international law.

In 2016, Micaela was selected as one of thirteen Madison Policy Forum Military-Business Cybersecurity Fellows. She regularly engages with government, military, and business leaders in the cybersecurity industry in an effort to develop national strategies for complex cyber issues and policy challenges. Micaela previously served as a United States Presidential Leadership Scholar, principally responsible for launching a program to familiarize federal judges with various aspects of the U.S. national security structure and national intelligence community.

Prior to her legal career, Micaela served in the Military Intelligence Branch of the United States Army. She served as Intelligence Officer of a 1,200-member maneuver unit conducting combat operations in Afghanistan and was awarded the Bronze Star.

Photo of Jordan Joachim Jordan Joachim

Jordan Joachim is a litigation associate in the firm’s New York office. His practice focuses on complex commercial litigation, including securities and shareholder litigation, contract disputes, trade secret litigation, and class actions. He has experience representing clients at all stages of litigation, from…

Jordan Joachim is a litigation associate in the firm’s New York office. His practice focuses on complex commercial litigation, including securities and shareholder litigation, contract disputes, trade secret litigation, and class actions. He has experience representing clients at all stages of litigation, from case inception through trial and appeal. Jordan also advises clients on issues relating to corporate governance, cybersecurity, data privacy, and trade secrets.