Matthew L. Levine (Photo courtesy of the author)
The New York State Department of Financial Services (“DFS”) has issued its long-awaited proposed revision to “Part 500,” the agency’s groundbreaking Cybersecurity Regulation.[1] This revision may be the basis for the final rule that will go into effect in stages after the Notice of Adoption is published in the State Register.
A catalog of analysis by law and consulting firms has already popped up online concerning the specific changes proposed, and not proposed, in this latest revision. There is no question that, when implemented, the regulation’s final changes are likely to have a material impact on financial institutions regulated by DFS.
Yet another document that accompanied the proposed revision should not be overlooked: the DFS “Assessment of Public Comments” (the “Assessment”). The rough equivalent of the “fine print” accompanying the proposal, the Assessment responds to an extensive body of commentary received by DFS from financial institutions, trade groups, law firms and others after DFS issued a previous iteration of the proposed amendments in November 2022.[2]
At 92 pages, the Assessment is worthy of digesting on its own. One reason is that it offers the DFS perspective on numerous comments received by the agency, observations that may be useful to cybersecurity professionals carrying out day-to-day compliance with the regulation.
Another notable reason is that the Assessment contains broader statements of DFS supervisory policy and practice. These pronouncements offer key insights into how DFS views its jurisdiction, governance matters, budgetary authority for compliance programs, and Part 500 overall, making them worthy of review by Boards of Directors and senior management of DFS-regulated entities.
Jurisdiction
DFS emphasized its broad view of agency jurisdiction in the Assessment in response to comments suggesting the Department should restrain exercise of its authority when applying the Cybersecurity Regulation. One comment argued, for example, that the Department should limit Part 500’s scope to “the portion of the [Covered Entity’s] business related to an activity regulated by the Department.” Another comment asserted that the Department is “creating requirements [] unique to New York for an issue that extends beyond the borders of New York State.”
DFS roundly rejected these comments:
“Part 500 applies to entities regulated by the Department. If these entities have multiple businesses, they still need to secure their systems. Requiring entities only to secure the information systems used to house or process financial information would not provide adequate cybersecurity. If the systems are not adequately isolated from the rest of the covered entity’s network, a breach of an information system not directly related to banking, financial, or insurance services may lead to a compromise of relevant nonpublic information.”[3]
When another commentator requested that the regulation be narrowed to address effects on New York customers, asking that the notification requirements of § 500.17(a) “be limited to only apply where New York residents were impacted,” DFS retorted:
“a breach of any customer’s information is indicative of a possible security issue at the covered entity, regardless of where the customer resides.”[4]
This expansive perspective is consistent with other expressions by the agency of its broad authority — especially where an enterprise-wide compliance system impacts a downstream or affiliated DFS licensee. For example, in an enforcement action against Goldman Sachs (In the Matter of Goldman Sachs Group and Goldman Sachs Bank USA (2020)),[5] DFS flexed its supervisory muscles by penalizing Goldman Sachs Group for compliance deficiencies allegedly arising from its enterprise-wide compliance system:
“GS Group employs a single, enterprise-wide compliance system. Accordingly, GS Group is primarily responsible for the design, implementation, and execution of an enterprise-wide compliance program for GS Group as well as its subsidiaries, including [Goldman Sachs Bank USA]. Such a global system must incorporate open lines of communication between the centralized compliance function and the relevant subsidiaries for the seamless reporting of compliance concerns, compliance issues, and the identification of compliance challenges relevant to that subsidiary.”[6]
Similarly, in a more recent enforcement action against a cryptocurrency entity, RobinHood Crypto, DFS penalized conduct that allegedly violated both the DFS BitLicense Regulation and Cybersecurity Regulation. The DFS Consent Order expansively defined regulatory expectations for an entity (here, Robinhood Crypto) that relies on an affiliate for compliance functions:
“[Robinhood Crypto] RHC was not fully compliant with New York State regulations, and failed to address some of the particular risks associated with operating a cryptocurrency trading platform. RHC was reliant on its parent and affiliates for substantial aspects of its compliance program. Although such reliance is not inherently violative of DFS requirements, in this case, such reliance proved to be a weakness because the programs of the parent (RHM) and affiliate (RHF) were not compliant with New York State regulations, and they failed to address all the particular risks applicable to licensed virtual currency businesses.”[7]
Governance
The Assessment also offers certain guidance on what constitutes effective governance in the eyes of DFS. Responding to comments that challenge a new provision that requires a “senior governing body” to approve a Covered Entity’s cybersecurity program, the Department declared:
“The board of directors or other senior governing body of a covered entity has oversight responsibility over the entity’s risks, and cybersecurity risks pervade every area over which the board or other senior governing body exercises oversight.”
The Assessment continues:
“To properly exercise oversight responsibility, the board or other senior governing body must be aware of cybersecurity risks and ensure the company has a written cybersecurity policy and procedures in place. Having the senior governing body approve the policy is the most effective way to achieve this goal, as opposed to relying on an intermediary to directly or indirectly approve and relay that information to the board or other senior governing body.
. . . .
The arguments that the requirement for the board or other senior governing body to approve policies would be a distraction[,] is not a proper board function, and that the board does not have the requisite expertise to approve these policies[, are all] unpersuasive. . . . [T]he board or other senior governing body should have sufficient understanding of cybersecurity-related matters, which may include the use of advisors.”[8]
Later in the Assessment, the Department notes:
“[C]orporate governance laws generally would require a board of directors of a corporation to oversee and address risks in an organization. For example, the duty of loyalty would prohibit a board from consciously ignoring red flags brought to its attention. . . . The board of directors or other senior governing body of a covered entity has oversight responsibility over organizational risks, and cybersecurity risks in particular tend to pervade every area over which the board exercises oversight. To properly exercise oversight responsibility, the board or other senior governing body must be aware of cybersecurity risks. Having the CISO report to the board directly is the most effective way to achieve this goal, as opposed to the CISO reporting crucial information to an intermediary and then relying on the intermediary to directly or indirectly relay that information to the board.”[9]
Budgetary Authority and Governance
The Department took the opportunity in the Assessment to provide some perspective on the intersection of governance and budgeting authority. Responding to a comment, which challenged language in the proposed amendment that requires the Chief Information Security Officer (“CISO”) to have “adequate authority” and the “ability to direct sufficient resources,” the Department replied:
“[I]t is more important for the CISO to have adequate authority to ensure cybersecurity risks are appropriately managed, including the ability to direct sufficient resources to implement and maintain a cybersecurity program. The requirement for the CISO to have adequate authority to ensure cybersecurity risks are appropriately managed, including the ability to direct sufficient resources, does not mean the CISO has a “blank check.” The CISO is still subject to a covered entity’s regular budgetary approval process. However, an insufficiently resourced cybersecurity program may result in a covered entity’s non-compliance with Part 500 if the covered entity is otherwise unable to meet the other requirements contained in Part 500. . . .[10]
[E]ven a highly experienced and credentialed cybersecurity professional reporting directly to the board of directors or the CEO would be ineffective if not provided with sufficient corporate resource[s], including personnel or tools, to adequately do their job.” [11]
This statement evokes guidance also emphasized in a recent DFS enforcement action. In the RobinHood Crypto matter discussed above, DFS faulted the firm for allegedly failing to empower its Chief Compliance Officer:
“These [compliance] problems were exacerbated by a lack of prominence for RHC compliance within RHM’s organizational structure. Despite RHC’s reliance on its parent and affiliate for its compliance program, RHC’s Chief Compliance Officer (“CCO”) reported to RHC’s Director of Product Operations, rather than reporting directly to a legal or compliance executive at the parent or affiliate. The CCO also did not participate in any formal reporting to the Board of Directors or independent audit or risk committees at the parent or affiliate. Thus, RHC played no meaningful role in compliance efforts at the entity level, resulting in a lack of an ability to influence staffing and resources, or to timely and adequately adopt measures that would assure full compliance with the Department’s Regulations.”[12]
Annual Certifications
In the Assessment, DFS also accented the importance it places on having the annual certification of Part 500 compliance made by two of the regulated entity’s most senior officers. Responding to a comment, which suggested a Covered Entity should be provided the option of having either the CISO, or the CEO, sign the annual certification under § 500.17(b), DFS stressed that:
“It is important to have both the CISO, as the person in charge of overseeing the cybersecurity program at the covered entity, as well as the CEO or the highest-ranking executive, as the person in charge of the business, sign and be involved with cybersecurity compliance.”
This change aligns the DFS cybersecurity certification process with the federal Sarbanes-Oxley law, which similarly requires dual certification for financial statements by the CFO and CEO of a public corporation.[13]
Notably, however, this amendment to the Cybersecurity Regulation is not aligned with another DFS certification requirement: the certification required under Part 504, the Transaction Monitoring and Sanctions Filtering regulation, which may be made either by the entire Board of Directors, or by a senior officer.[14]
Compliance With Part 500
Finally, the Assessment offers insights into how DFS views compliance with Part 500 as a policy matter. In one instance, the Department transparently describes its intent in issuing the Cybersecurity Regulation — to set baseline standards for regulated institutions. The Assessment states:
“Part 500 is risk-based and does not mandate unreasonable technical controls. The cybersecurity standards that companies must implement are minimum cybersecurity best practices that the Department believes should be implemented by all covered entities regardless of their risk assessment.[15]
. . . .
The requirements contained in Part 500 are designed to ensure that covered entities have a cybersecurity program in place and follow certain minimum standards and industry best practices to protect against a cybersecurity incident.”[16]
The Department adds that, in setting minimum standards by regulation, it is nonetheless sensitive to being overly prescriptive:
“Mandating the implementation of certain technologies . . . would limit the ability of covered institutions to determine what protections are needed based on their risk assessment. The Department generally attempts to avoid mandating the use of specific techniques or technologies.”[17]
Along the same lines, the Assessment declares that, “[t]hese amendments are designed to reflect the current and reasonably foreseeable cybersecurity environment.”[18]
The Department also emphasized the critical importance it places on timely notification of a Cybersecurity Event under § 500.17(a). DFS sees prompt notification as essential to its effort to construct an early warning intelligence network for regulated entities:
“The timeframes specified for notifications under § 500.17(a) should not be delayed for any reason as timely notifications are used by DFS to identify techniques used by attackers and enable DFS to respond quickly to new threats in order to protect consumers and the financial services industry.”[19]
This statement underscores previous guidance from DFS advising that early notification is critical to the agency’s mission of aiding regulated entities to defend against cybersecurity attacks.[20]
DFS further acknowledged that, as with other notification provisions set out in New York’s banking and insurance regulations,[21] the initial disclosure of a Cybersecurity Event to DFS may, by necessity, be limited in scope: “DFS understands that the initial notification may only contain limited information.”[22] The Assessment relatedly notes that Part 500 places upon a Covered Entity “a continuing obligation to update and supplement the information provided.”[23]
Conclusion
The Assessment provides important guidance to Boards of Directors and senior management in the development, implementation and remediation of a Cybersecurity Program. Moreover, its perspectives may offer important counsel regarding compliance with other DFS regulatory requirements, including anti-money laundering, sanctions filtering, operational risk and consumer protection.
It may be wishful thinking, but perhaps the most helpful comment from DFS in the Assessment is the agency’s observation that, “nowhere does Part 500 require perfect compliance.”[24] Hopefully this is an assessment that DFS will heed.
Footnotes
[1] https://www.dfs.ny.gov/system/files/documents/2023/06/rev_rp_23a2_text_20230628.pdf.
[2] See https://www.dfs.ny.gov/system/files/documents/2023/06/rev_rp_23a2_apc_20230628.pdf.
[3] Assessment at 10.
[4] Id. at 79 (emphasis supplied).
[5] https://www.dfs.ny.gov/system/files/documents/2020/10/ea20201021_goldman_sachs.pdf.
[6] Id. ⁋ 29.
[7] See ⁋⁋ 30-31, https://www.dfs.ny.gov/system/files/documents/2022/08/ea20220801_robinhood.pdf.
[8] Assessment at 22 (emphasis supplied).
[9] Id. at 30.
[10] Id. at 28 (emphasis supplied).
[11] Id. at 29 (emphasis supplied).
[12] See ⁋ 31, https://www.dfs.ny.gov/system/files/documents/2022/08/ea20220801_robinhood.pdf.
[13] See 18 U.S.C. § 1350.
[14] 3 N.Y.C.R.R. § 504.4.
[15] Assessment at 2.
[16] Id. at 88.
[17] Id. at 3 (emphasis supplied).
[18] Id. at 67.
[19] Id. at 77.
[20] See Matthew L. Levine, Cybersecurity Activity from NYDFS Fashions Expectations and Suggests More Enforcement Is to Come, NYLJ (June 8, 2021), available at https://www.law.com/newyorklawjournal/2021/06/07/cybersecurity-enforcement-activity-from-nydfs-fashions-regulatory-expectations-and-suggests-more-enforcement-is-to-come/.
[21] See, e.g., 3 N.Y.C.R.R. § 300.1; Matthew L. Levine, Self-Reporting Misconduct to NYDFS: It’s Not Your Monaco Memo (Part One), NYLJ (Nov. 29, 2022), available at https://www.law.com/newyorklawjournal/2022/11/29/self-reporting-misconduct-to-nydfs-its-not-your-monaco-memo-part-one/.
[22] Assessment at 78.
[23] Id.
[24] Id. at 47.
Matthew L. Levine is a Partner at Elliott Kwok Levine & Jaroslaw LLP. This post first appeared on the firm’s blog.
The views, opinions and positions expressed within all posts are those of the author(s) alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of the New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity or any statements made on this site and will not be liable any errors, omissions or representations. The copyright or this content belongs to the author(s) and any liability with regards to infringement of intellectual property rights remains with the author(s).