New FAQs Clear Up Confusion Around New York’s Cybersecurity Law

New FAQs Clear Up Confusion Around New York’s Cybersecurity Law on cyberguard360.comDFS asserts that some surprising classes of companies must meet the mandates of 23 NYCRR 500

It’s been a little over a year since New York’s “first-in-the-nation” cybersecurity regulations, 23 NYCRR 500, took effect, setting a high cybersecurity standard for any entity reporting to the state’s Department of Financial Services (DFS).

Covered businesses – ranging from banks to financial service centers to insurance agencies – must now be in compliance with most of the law’s requirements. A few final mandates related to practices like risk assessments and multi-factor authentication will phase in by March 1, 2019.

But a few days after the first annual certifications of compliance had to be submitted to DFS on Feb. 15, the department released four new Frequently Asked Questions (FAQs) that have a sweeping impact on the scope of its cybersecurity regulations. The new FAQs build upon earlier releases in 2017 that attempted to clarify areas of confusion still swirling around the law.

This time – more than a year after 23 NYCRR 500 went into effect – DFS clearly defines that some surprising classes of companies fall under the umbrella of the law and must be prepared to meet its mandates. It also spells out what is expected of covered entities after a merger or acquisition is completed.

The new FAQs: Here’s what they mean:

  1. Are exempt mortgage servicers covered entities under 23 NYCRR 500? For the most part, no. DFS states that exempt mortgage servicers do not fit the definition of covered entities under the new law. However, exempt mortgage loan servicers that hold a license, registration, or received approval under New York’s 3 NYCRR 418.2 (e) must prove their exemption and comply with the new cybersecurity regulations.

    Federally chartered banks, for instance, are usually exempt from registration as a mortgage servicer in the state of New York and also don’t need an exemption under 418.2 (e). DFS’ decision not to make them obey the new cybersecurity mandate is a welcome exception to language in New York’s banking laws, which requires exempt mortgage servicers to “comply with any regulation applicable to mortgage loan servicers, promulgated by the superintendent.”

    One last note of interest: even though most exempt mortgage servicers don’t have to follow the law, the FAQ strongly encourages them to voluntarily implement its mandates. This encouragement – although non-binding – is being taken quite seriously as a bill working its way through the New York Senate, the SHIELD Act, S. 6933, attempts to add a requirement for “reasonable safeguards” for data security to New York’s general business laws. It’s reasonable to assume that the DFS regulations will set the standard for overall cybersecurity requirements in New York.

  2. Are not-for-profit mortgage brokers covered entities under 23 NYCRR 500? DFS clearly states that not-for-profit mortgage brokers must comply with the new law.
  3. Do covered entities have any obligations when acquiring or merging with a new company? DFS firmly asserts that any covered entity that undergoes a merger or acquisition must perform a thorough analysis of how its compliance duties might be affected by the deal. Areas of concern include the business of the target company, its cybersecurity risks, the safety and soundness of the covered entity, and the integration of data systems.

    The bottom line: DFS wants to know that cybersecurity is a priority for companies considering new acquisitions and that serious due diligence will take place.

    This explanation should come as common sense to financial institutions who already comply with the requirements of the Gramm-Leach-Bliley Act (GLBA). Its Safeguards Rule demands that companies re-evaluate and adjust their information security programs after major changes to their operations or business arrangements. Still, the new FAQ is helpful for businesses that have not had to maintain stringent GLBA compliance programs.

  4. Are Health Maintenance Organizations (HMOs) and Continuing Care Retirement Communities (CCRCs) covered entities? The biggest shake-up from the new FAQs is the declaration that HMOs and CCRCs fall under the mandate of DFS’ cybersecurity law – even though DFS is not their primary regulator.

    The FAQ took some by surprise since these organizations mostly operate in the healthcare field – and their interactions with DFS are secondary to their core function. But since DFS has the authority to approve forms and rates for HMOs and CCRCS – and since they are subject to its examination – DFS asserts that they fall under its umbrella as covered entities.

    The New York State Department of Health, the primary regulator for the majority of healthcare organizations in the state, doesn’t have any cybersecurity regulations. HMOs are also governed by the less stringent requirements of the HIPAA Security Rule put forth by the federal Department of Health and Human Services.

These new FAQs offer helpful guidance as companies continue to navigate compliance with New York’s new cybersecurity law. However, it is important to remember that the FAQs are non-binding and can be changed at any point by DFS. The FAQs can attempt to clarify the law, but they cannot make any true changes to the regulations.

Companies should continue to monitor the FAQs page, keep an eye out for public statements from DFS about the law, and watch the state register for any proposed amendments or emergency regulations that might pop up in the future. As cybersecurity threats continue to evolve, it is likely that the law will evolve with it.

An experienced cybersecurity provider is best qualified to help companies stay abreast of any changes to 23 NYCRR 500, and ensure that best cybersecurity practices are in place to protect their most sensitive information – and their bottom lines from DFS fines.

CyberGuard360’s clients across four states and 40 industries are guided safely through the threat landscape. Our wide array of services includes system security suites, risk assessment, education, and training and disaster recovery, and we specialize in helping New York companies comply with 23 NYCRR 500. If you’d like us to put our expertise to work for you, we’d be happy to help. Call us at 844-315-9882 or use our contact form for a free consultation.

Comments ( 0 )

Leave your comment