(Article from Insurance Law Alert, May 2018)
For more information, please visit the Insurance Law Alert Resource Center.
In March 2017, the Department of Financial Services (“DFS”) enacted cybersecurity regulations applicable to entities subject to New York banking, insurance and financial services laws (“Covered Entities”). The regulations imposed certain minimum requirements on Covered Entities for cybersecurity practices, including the following: maintenance of a cybersecurity program and response plan; designation of a senior officer to oversee cybersecurity; routine risk assessment; notification of a security incident to DFS; and annual compliance certification. See NYCRR § 500.
Since the enactment of these regulations, DFS has provided guidance as to the scope and application of certain provisions on the FAQs page of the DFS website. In recent months, DFS has issued new FAQ guidance that affects a significant number of entities operating within the state. Among other things, the new FAQs provide the following information: federally chartered banks that operate as “exempt mortgage servicers” are not Covered Entities; not-for-profit mortgage brokers are Covered Entities; Health Maintenance Organizations and Continuing Care Retirement Communities are within the scope of Covered Entities; and companies that engage in a merger with or acquisition of a Covered Entity are obligated to conduct an analysis of how the transaction will affect the Covered Entity’s compliance obligations. In addition, the FAQs address application of the regulations to the following entities: New York branches of out-of-state and out-of-country banks; subsidiaries and affiliates of Covered Entities; and entities that have contractual arrangements with third-party vendors who are Covered Entities.
With respect to exempt entities, the FAQs expressly state that “given the ever-increasing cybersecurity risks that financial institutions face, DFS strongly encourages all financial institutions, including exempt Mortgage Servicers, to adopt cybersecurity protections consistent with the safeguards and protections of 23 NYCRR Part 500.”
Notably, although the FAQs are intended to provide clarity of DFS’s cybersecurity regulations, they are not binding and are subject to modification. Thus, both covered and exempt entities are advised to monitor any potential changes to Section 500.