The New York State Department of Financial Services (“NYDFS”) Cybersecurity Requirements for Financial Services Companies (the “Regulation”), which came into effect on March 1, 2017, establishes minimum cybersecurity standards for banks, insurance companies and financial services companies regulated by New York State law. The Regulation has implications for Canadian organizations that have regulated operations in New York, are affiliated with a regulated entity or provide services to a regulated entity.
Overview of Regulation
The Regulation requires that, subject to limited exceptions, each individual or legal entity operating under a license, registration or similar authorization under New York state banking, insurance or financial services laws (each a “Covered Entity”) assess its cybersecurity risks and design a cybersecurity program that addresses those risks in a robust fashion. The Regulation also requires each Covered Entity’s senior management to take cybersecurity seriously and to be responsible for the entity’s cybersecurity program. Covered Entities are required to have a cybersecurity program and related policies and procedures in place by August 28, 2017.
The NYDFS issued Frequently Asked Questions to provide guidance regarding the interpretation of the Regulation.
Implications for Canadian Organizations
The Regulation has implications for Canadian organizations.
1. Regulated Operations
The FAQ indicates that the Regulation applies to a foreign organization has a branch, agency or representative office in New York that is under NYDFS regulation, but only with respect to regulated operations. The FAQ states as follows:
“Are the DFS-authorized New York branches, agencies and representative offices of out-of-country foreign banks required to comply with [the Regulation]?
Yes. It is further noted that, in such cases, only the Information Systems supporting the branch, agency or representative office, and the Nonpublic Information of the branch, agency or representative office are subject to the applicable requirements of [the Regulation], whether through the branch’s, agency’s or representative office’s development and implementation of its own cybersecurity program or through the adoption of an Affiliate's cybersecurity program.”
2. Affiliates/Subsidiaries
The FAQ indicates that the Regulation applies to cybersecurity risks that a Covered Entity’s corporate affiliate or subsidiary presents (including through control or access) to the Covered Entity’s “Information Systems” or “Nonpublic Information” (both as broadly defined in the Regulation). The FAQ states as follows:
“How must a Covered Entity address cybersecurity issues with respect to its subsidiaries and other affiliates
When a subsidiary or other affiliate of a Covered Entity presents risks to the Covered Entity’s Information Systems or the Nonpublic Information stored on those Information Systems, those risks must be evaluated and addressed in the Covered Entity’s Risk Assessment, cybersecurity program and cybersecurity policies. Other regulatory requirements may also apply, depending on the individual facts and circumstances.”
3. Third Party Service Providers
The Regulation has implications for Canadian organizations that provide services to Covered Entities. The Regulation requires each Covered Entity to implement written policies and procedures designed to ensure the security of information systems and data accessible to or held by a “Third Party Service Provider”, which is defined as an independent service provider that “maintains, processes or otherwise is permitted access to Nonpublic Information through its provision of services to the Covered Entity”. The required policies and procedures must address, to the extent applicable, risk identification and assessment of each Third Party Service Provider, minimum required cybersecurity practices to be followed by each Third Party Service Provider, due diligence processes for assessing each Third Party Service Provider’s cybersecurity practices and periodic reassessments of each Third Party Service Provider.
Comment
Canadian organizations with direct or indirect connections to Covered Entities should determine whether some or all of their operations are subject to the Regulation and take appropriate, timely measures to prepare for compliance by applicable dates specified in the Regulation.
The Regulation is a helpful summary of current cyber risk management best practices, and provides a useful benchmark for Canadian organizations of all kinds and sizes to assess their cyber risk management program. The cyber risk management practices required by the Regulation are consistent with guidance issued by Canadian Financial industry regulators and self-regulatory organizations.
For more information about the regulation, see BLG bulletin New York State Cybersecurity Regulation for Financial Services Companies.