News
August 13, 2018

NYDFS Provides Guidance on Application of Cybersecurity Rules to Bank Holding Companies

Advisory

On August 9, 2018, the New York State Department of Financial Services (DFS) issued four additional frequently asked questions and responses (FAQs) relating to its cybersecurity regulation (Part 500), including guidance on how Covered Entities should address cybersecurity issues relating to their bank holding companies (BHCs). The four new FAQs provide additional guidance on the application of the Part 500 and supplement FAQs released previously to guide affected institutions.

Part 500 requires Covered Entities to adopt and maintain a cybersecurity program and corresponding cybersecurity policies and procedures.1 Several provisions of Part 500 became effective on March 1, 2017, and Covered Entities were required to submit the first annual certifications of compliance to the DFS by February 15, 2018. On August 8, 2018, Superintendent Vullo reminded Covered Entities that the third transitional period under Part 500 ends on September 4, 2018, requiring Covered Entities to come into compliance with requirements relating to, among others, data retention, access controls, encryption, and audit trails.

Although in some ways Part 500 is similar to federal requirements and guidance on cybersecurity for banks and securities firms, it has a number of unique aspects and imposes substantial additional reporting obligations upon Covered Entities.

In the new FAQ addressing Covered Entities with BHCs, the DFS clarifies that Covered Entities must evaluate all risks presented to its information systems and its nonpublic information by its holding company or other affiliates, and that shared information systems between a Covered Entity, its holding company, and any other affiliate must be protected. Importantly, the guidance provides that the risks posed by such shared systems should be incorporated into the Covered Entity's risk assessment, cybersecurity program, and cybersecurity policies.

The new FAQs also provide guidance relating to: overlapping qualification as a Covered Entity, an Authorized User, and a Third Party Service Provider; which provisions apply and do not apply to Covered Entities qualifying for limited exemptions; and requirements for covered trust funds that are administered by Covered Entities.

The four new FAQs are reproduced verbatim below

1. Can the same entity be a Covered Entity, an Authorized User, and a Third Party Service Provider?

Yes. Depending on the facts and circumstances, the same entity can be a Covered Entity, an Authorized User, and a Third Party Service Provider.This is common in the case of independent insurance agents. For example, a DFS-licensed independent agent that works with multiple insurance companies is a Covered Entity with its own obligation to establish and maintain a cybersecurity program designed to protect the confidentiality, integrity and availability of its Information Systems and Nonpublic Information. See 23 NYCRR 500.02.

In addition, when the independent agent holds or has access to any Nonpublic Information or Information Systems maintained by an insurance company with which it works (for example, for quotations, issuing a policy or any other data or system access), the independent agent will be a Third Party Service Provider with respect to that insurance company; and the insurance company, as a Covered Entity, will be required under 23 NYCRR 500.11 to have written policies and procedures to ensure the security of its Information Systems and Nonpublic Information that are accessible to, or held by, the independent agent (including but not limited to risk based policies and procedures for minimum cybersecurity practices, due diligence processes, periodic assessment, access controls, and encryption).

It is also noted that, like any other Covered Entity, an insurance company may also be a Third Party Service Provider and/or Authorized User with respect to another Covered Entity, including an independent insurance agent.

In all events, each Covered Entity is responsible for thoroughly evaluating its relationships with other entities in order to ensure that it is fully complying with all applicable provisions of 23 NYCRR Part 500.

Further, an independent agent will also be an Authorized User if it participates in the business operations, and is authorized to use any Information Systems and data, of an insurance company that is a Covered Entity. In such a case, the insurance company must implement risk-based policies, procedures and controls to monitor the activities of the independent agent, as more fully described in 23 NYCRR 500.14.

2. If I have a limited exemption, what provisions of the regulation do I still need to comply with?

Please see charts.

Exemption Exempt From Still Required
500.19 (a) (1) Fewer than 10 employees working in NYS 500.04- Chief Information Security Officer
500.05- Penetration Testing and Vulnerability Assessments
500.06- Audit Trail
500.08- Application Security
500.10- Cybersecurity Personnel and
500.02- Cybersecurity Program
500.03- Cybersecurity Policy
500.07- Access Privileges
500.09- Risk Assessment
500.11- Third Party Service Provider
Security Policy
500.13- Limitations on Data
500.19 (a) (2) Less than $5 million in gross annual revenue
500.19 (a) (3) Less than $10 million in year-end total assets Intelligence
500.12- Multi-Factor Authentication
500.14- Training and Monitoring
500.15- Encryption of Nonpublic Information
500.16- Incident Response Plan
Retention
500.17- Notices to Superintendent
500.18- Confidentiality
500.19- Exemptions
500.20- Enforcement
500.21- Effective Date
500.22- Transitional Periods
500.23- Severability

Exemption Exempt From Still Required
500.19 (c) Does not control any information systems and nonpublic information 500.02- Cybersecurity Program
500.03- Cybersecurity Policy
500.04- Chief Information Security Officer
500.05- Penetration Testing and Vulnerability Assessments
500.06- Audit Trail
500.07- Access Privileges
500.08- Application Security
500.10- Cybersecurity Personnel and
Intelligence
500.12- Multi-Factor Authentication
500.14- Training and Monitoring
500.15- Encryption of Nonpublic Information
500.16- Incident Response Plan
500.09- Risk Assessment
500.11- Third Party Service Provider
Security Policy
500.13- Limitations on Data Retention 
500.17- Notices to Superintendent 
500.18- Confidentiality
500.19- Exemptions
500.20- Enforcement
500.21- Effective Date
500.22- Transitional Periods
500.23- Severability
500.19 (d) Captive insurance companies that do not control nonpublic information other than information relating to its corporate parent company

3. How must a Covered Entity address cybersecurity issues with respect to a Bank Holding Company (BHC)?

Under 23 NYCRR Part 500, the Covered Entity is responsible for compliance with respect to its Information Systems. Therefore, it must evaluate and address any risks that a BHC (or other affiliate of the Covered Entity) presents to the Covered Entity's Information Systems and/or Nonpublic Information. For example, if a Covered Entity shares its data and systems with a BHC, the Covered Entity must ensure that such shared data and systems are protected. Specifically, the Covered Entity must evaluate and address in its Risk Assessment, cybersecurity program and cybersecurity policies the risks that the BHC poses with respect to such shared Information Systems and/or Nonpublic Information. In the same manner, a Covered Entity must also evaluate and address other cybersecurity risks that a BHC may pose to it. A Covered Entity will ultimately be held responsible for protecting its Information Systems and Nonpublic Information that are shared with a BHC or that otherwise may be subjected to risk by a BHC. Other regulatory requirements may also apply, depending on the individual facts and circumstances.

4. Can a Common Trust Fund (CTF) that is administered by another Covered Entity rely on the cybersecurity program of that Covered Entity?

A CTF that is administered by another Covered Entity can rely on the cybersecurity program of that Covered Entity, as long as that cybersecurity program conforms with 23 NYCRR Part 500 and fully protects the CTF. Under these circumstances, the Covered Entity must submit a Certification of Compliance with the Department.

If the CTF is administered by a national bank, then the Department will defer to that bank's primary regulator to ensure that the CTF has a proper cybersecurity program. Further, to protect markets, the Department strongly encourages all financial entities, including CTFs administered by national banks, to adopt cybersecurity protections consistent with the safeguards and protections of 23 NYCRR Part 500.

*          *          *

Covered Entities interested in assistance with implementing measures to comply with Part 500 are encouraged to contact any of the authors listed below or your Arnold & Porter contact. The firm's Financial Services team would be pleased to assist with any questions you may have about Part 500, its impact on your bank holding company, upcoming examinations, or cybersecurity risk management and compliance more broadly.

© Arnold & Porter Kaye Scholer LLP 2018 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.

Email Disclaimer