The New York Department of Financial Services (“NYDFS”) issued a Cybersecurity Regulation (the “Regulation”) in 2016.  The Regulation has been adapted by the Federal Trade Commission and the National Association of Insurance Commissioners, and has been the model for other cybersecurity regulation in the US. NYDFS recently proposed controversial amendments to the Regulation.  As a cybersecurity lawyer representing financial service companies, I have been tracking both the enforcement of the Regulation, as well as the proposed updates.  Absent further revision, four of the proposed amendments are likely to cause havoc for entities covered by the Regulation:

  • The Regulation requires companies to have a Chief Information Security Officer (“CISO”) to oversee the cybersecurity program. The proposed definition of a CISO requires that person to have “adequate authority to ensure cybersecurity risks are appropriately managed….” This definition would allow NYDFS to take the position in enforcement that a knowledgeable CISO who manages the cybersecurity program in an appropriate manner does not meet the definition if NYDFS does not believe the CISO has “adequate authority.”  I submitted two comments to NYDFS that would address this issue.
  • The Regulation requires that covered entities manage third party service providers through assessment and contracts.  The definition of third party service providers currently includes self-regulatory organizations, broker-dealers, clearing agencies, national banks and credit unions, and other highly regulated entities.  I submitted a comment seeking to exclude those entities from the definition.
  •  The Regulation requires that covered entities have business continuity and disaster recovery policies and procedures to address cybersecurity incidents.  However, the requirement is not drafted to allow companies that would be able to operate without certain systems to tailor their policies and procedures appropriately.  I proposed changes that would allow the risk assessment to be used to address those issues.
  • The Regulation requires covered entities to notify NYDFS of certain incidents.  In the proposed updates, NYDFS extends the requirement of any incident where unauthorized privileged access occurred.  This will be very difficult for covered entities, especially where no harm was caused by the privileged access.  What is untenable is the fact that NYDFS is extending this requirement to third party service providers – even if no harm was caused.  My final comment attempts to address the third party service provider issue.

Interested readers can read my formal comment letter here.