DFS Issues New Guidance Regarding Cybersecurity Regulation and the Adoption of an Affiliate’s Cybersecurity Program
On October 22, 2021, the New York State Department of Financial Services (“DFS”) issued new Guidance regarding a Covered Entity’s compliance with New York’s Cybersecurity Regulation where the Covered Entity relies on the cybersecurity programs of an Affiliate. The Guidance provides much-needed clarity on a topic that impacts many entities subject to the DFS Regulation.
Background: New York’s Cybersecurity Regulation
Starting in 2017, DFS set down certain minimum cybersecurity standards for New York’s financial services industry; the standards are referred to colloquially as the Cybersecurity Regulation, 23 N.Y.C.R.R. Part 500. For all Covered Entities, the Cybersecurity Regulation lays out requirements for developing and implementing cybersecurity programs that will effectively and proactively address cyber risks and protect Covered Entity’s information systems.
Pertinently, the Cybersecurity Regulation also permits the Covered Entity to meet its own obligations by adopting the cybersecurity program of an Affiliate, even if the Affiliate isn’t itself a Covered Entity. 23 N.Y.C.R.R. § 500.2(c). Specifically, a Covered Entity may fulfill certain obligations by adopting the relevant and applicable provisions of a cybersecurity program maintained by an Affiliate—provided that such provisions satisfy the requirements of the Cybersecurity Regulation as applicable to the Covered Entity. Id. How this should work in practice, however, has given rise to many questions from the New York financial services sector.
The recent Guidance recognizes that many Covered Entities are Affiliates of other companies and will often share cybersecurity resources and programs with those Affiliates. However, a Covered Entity may not simply adopt the cybersecurity program of an Affiliate without more. The Guidance specifies:
Although a Covered Entity may adopt an affiliate’s cybersecurity program in whole or in part, the Covered Entity may not delegate responsibility for compliance with the Cybersecurity Regulation to an affiliate. The Covered Entity is responsible for complying with the Cybersecurity Regulation’s requirements regarding its cybersecurity program regardless of whether its cybersecurity program is its own or was adopted in whole or in part from an affiliate. Moreover, a Covered Entity’s obligations to demonstrate compliance with the Cybersecurity Regulation is the same whether it adopts the cybersecurity program of an affiliate or implements its own cybersecurity program.
The Guidance also reminds that every Covered Entity is required, upon request, to make available to the DFS “[a]ll documentation and information relevant to the Covered Entity’s cybersecurity program,” id. § 500.2(d), which—per the recent Guidance—“includes all documentation and information relevant to cybersecurity programs adopted from an affiliate.”
For example, if a Covered Entity has adopted the cybersecurity program of a head office located abroad (a head office not regulated by the DFS), the Covered Entity still has an obligation to make available to DFS information regarding the adopted portions of the head office’s cybersecurity program, such as the Affiliate’s cybersecurity policies and procedures. Such access will allow DFS to sufficiently evaluate the Covered Entity’s compliance with the Cybersecurity Regulation. To streamline and simplify this process, the Guidance provides that “[o]ne way to ensure that DFS will be able to access the requisite documentation and information is to ensure that any agreement between a Covered Entity and its affiliate provides for” access to this information.
In sum, the Guidance clarifies that Covered Entities are not shielded from liability by simply adopting the relevant and applicable provisions of a cybersecurity program maintained by an Affiliate without more. Covered Entities must ensure that those programs satisfy its obligations under the Regulation and—when necessary—must work with the Affiliate to satisfy DFS of the same.
 A Covered Entity means “any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.” 23 N.Y.C.R.R. § 500.1(c). And an Affiliate is defined as “any Person that controls, is controlled by or is under common control with another Person.” Id. § 500.1(a).