DFS Issues Additional Guidance for Cyber Regulation Compliance
New York’s Department of Financial Services (DFS) has issued additional guidance for compliance with the state’s sweeping cybersecurity regulation that went into effect earlier this year. Companies covered by the regulation must comply with the first round of requirements by August 28th.
The additional guidance – in the form of frequency asked questions posted on the DFS website – focuses primarily on two topics: 1) breach reporting and 2) compliance with the regulation by New York-based branches of out-of-state banks.
When should an “unsuccessful” cyber attack be reported to DFS? The regulation requires that organizations report an unsuccessful cyber attack that has or had “a reasonable likelihood of materially harming any material part of the normal operation(s) of the Covered Entity.” In its guidance, DFS said that it anticipates most unsuccessful attacks – especially those considered “routine” – will not be reportable but asks that attacks be reported that “are sufficiently serious to raise a concern” or “appear particularly significant based on the Covered Entity’s understanding of the risks it faces.” For example, companies are asked to notify DFS of an unsuccessful attack that “required measures or resources well beyond those ordinarily used . . . like exceptional attention by senior personnel or the adoption of extraordinary non-routine precautionary steps.” DFS stressed that the reporting requirement is intended to facilitate information sharing and to inform the agency’s overall supervision of the industry.
Is an attack reportable if it involves harm to consumers? DFS explained that its cybersecurity regulation must be read in conjunction with consumer privacy laws. Under Section 500.17(a)(i), a cyber event must be reported to DFS if “notice is required to be provided to any government body, self-regulatory agency or any other supervisory body,” which, depending on the law and jurisdiction, includes events that involve actual or potential consumer harm. By way of example, under New York’s breach notification law, notices to affected consumer and government bodies are generally required following a data breach. In such case, notice must also be given to DFS. In addition, simply providing notice to DFS does not negate an institution’s obligation to follow state-by-state consumer data breach notification requirements.
Are the NY-branches of out-of-state domestic banks required to comply with the regulation? DFS made clear that, as a signatory to the Nationwide Cooperative Agreement – the compact among state banking regulators – “the home state of a state-chartered bank with a branch or branches in New York . . . is primarily responsible for supervising such state-chartered bank.” In such cases, DFS will defer to the “home state supervisor and examination of the New York branches with the understanding that DFS is available to coordinate and work with the home state in such supervision and examination.” But at the same time, DFS noted that “New York branches are required to comply with New York state law,” and it maintains the right to examine branches located within the state. DFS, however, “strongly encourages” all financial institutions including out-of-state branches to “adopt cybersecurity protections consistent with the safeguards” of the new regulation.
We will continue to monitor any new guidance issued by DFS.