New York DFS Issues New Cybersecurity Guidance

Under New York’s Cybersecurity Regulation, issued in 2017, any entity (a “Covered Entity”) regulated by the New York State Department of Financial Services (DFS) must maintain a risk-based cybersecurity program that protects its information systems and nonpublic data. For years, DFS has allowed Covered Entities to adopt the cybersecurity program of an affiliate. This has meant that a DFS-regulated department within a larger organization that is not DFS-regulated has been allowed to adopt the cybersecurity program of its parent organization.

DFS has issued new guidance this week that allows the practice to continue, but clarifies that the responsibility for compliance rests with the DFS-affiliated department, not with the larger organization. The guidance also states that if a DFS-regulate department uses parts of a larger organization or affiliate’s cybersecurity program, it must allow DFS to examine those parts, and that DFS must be provided with “documentation including the affiliate’s cybersecurity policies and procedures, risk assessments, penetration testing and vulnerability assessment results, and any third party audits that relate to the adopted portions of the cybersecurity program of the affiliate.” DFS also recommends that Covered Entities enter into binding contractual agreements with affiliates to allow this documentation to happen more easily.

According to analysis by law firm Davis Polk, there are a few important takeaways for Covered Entities to consider. First, a Covered Entity must ensure that any borrowed portions of a cybersecurity program meet DFS requirements. Second, Covered Entities should work with their affiliates to establish a process for documenting compliance, and assume that all portions of the affiliate’s program will be subject to review by DFS. Finally, Covered Entities should create agreements with their affiliates to ensure that compliance can be clearly documented.