On November 17, 2023, the NYU Law Program on Corporate Compliance and Enforcement (PCCE) hosted a standing-room-only full-day conference on Security, Privacy, and Consumer Protection. The conference addressed issues such as managing effective cybersecurity and privacy compliance programs, the use of “dark patterns” to manipulate consumer choices, and whether privacy regulation and enforcement actions actually prompt firms to update their privacy policies. A full agenda of the conference, along with speaker bios, is available here. In this post, several participants from the panel titled The NYDFS Cybersecurity Rule Amendments and Their Implications for Firms Beyond the Financial Sector share further thoughts on the issue.
Left to right: Justin Herring, Matthew Levine, Cheryl James, Edward Stroz, and Alexander Southwell (Moderator)(©Hollenshead: Courtesy of NYU Photo Bureau)
Summary of Panel Comments on NYSDFS Cyber Rules Amendments
by Edward Stroz
Edward Stroz (©Hollenshead: Courtesy of NYU Photo Bureau)
A strong legal foundation with clear and detailed regulatory rules are excellent starting points for organizations to address cyber risk. The NYSDFS is doing its part by delivering the type of clarity that corporate management for affected entities can draw upon as they work to ensure proper governance over cyber risk. One of the most critical decisions that an organization should then address is that of determining what level of “risk tolerance” or “risk appetite” it should aim to achieve. Following that determination, measures and metrics can be crafted that indicate what level of risk the organization is exposed to and what improvements should be prioritized over time.
Cyber risk really cannot be eliminated, but it can be managed. The important question for a board of directors and senior management to address is what level of cyber risk is appropriate for their organization and how can that level be expressed in policy language that is actionable by the people responsible for operating the business and monitoring systems.
No company can afford to spend unlimited amounts of money and time on cyber security. Equally true is that no outside consultants can determine the risk appetite for a client company. However, working together with trusted experts, a company can articulate their approach to cyber risk management and the factors and metrics that will be used to demonstrate effective governance. A cyber “risk register” that assigns responsibilities for risk, along with supporting reports from management, are essential tools. The actions taken by management in implementing governance guidance from the board of directors should be expressed in terms capable of being compared to the regulatory rules in a manner that provides evidence of compliance and the quality of judgments made in setting priorities for spending.
Edward Stroz is a co-founder of Consilience 360, LLC, a security consulting firm that specializes in advising boards of directors, corporate committees and corporate officers on cybersecurity risk management and governance.
The Shape of Enforcement To Come: Amendments to the NYDFS Cybersecurity Regulation
Matthew L. Levine (©Hollenshead: Courtesy of NYU Photo Bureau)
Recent amendments to the Cybersecurity Regulation (Part 500) of the New York State Department of Financial Services (NYDFS) are quite expansive in scope.[1] Chief Compliance Officers and litigation counsel for regulated entities are no doubt questioning what the contours of future enforcement will look like under the regulation. That is because the revised regulation has enlarged the opportunity for enforcement in a number of areas.
First, more enforcement is likely simply because the regulation, as amended, has become more prescriptive. With regulated entities now subject to more requirements, there is more opportunity for supervisory criticism during examinations, supervisory action arising from such evaluation and, ultimately, enforcement.
Second, additional enforcement is likely due to revisions made to the certification provision, § 500.17. For example, in the event that an entity is unable to certify “material compliance” with the regulation for a calendar year, the entity instead must (a) “acknowledge its lack of material compliance,” (b) “identif[y] all sections of this Part [500] that the entity has not materially complied with and describe[] the nature and extent of such noncompliance”; and (c) “provide[] a remediation timeline or confirmation that remediation has been completed.”
In essence, this provision requires a regulated entity to provide a roadmap of weaknesses in its cybersecurity program, along with a remediation timeline. While this obligation is intended to achieve important compliance improvements in an entity’s cybersecurity program and is a common prudential tool, it also creates an easy-to-follow enforcement map for DFS if events take an unfortunate turn.
A third reason to be concerned about increased enforcement is linked to the new “extortion payment” notification provision. In addition to requiring notice to DFS within 24 hours of any such payment, the regulation now requires the entity to provide a written description within 30 days of (a) the reasons payment was necessary, (b) alternatives to payment considered, (c) all diligence performed to find alternatives to payment, and (d) all diligence performed to ensure compliance with applicable rules and regulations including those of the Office of Foreign Assets Control. Again, while the information sought is important to allow DFS to conduct surveillance among its regulated entities, it is also very likely the product of intense deliberations among lawyers and advisors, and it will be a challenge to provide meaningful information to DFS while preserving the attorney-client and other privileges.
Finally, a fourth reason to keep a lookout for potentially ramped up DFS enforcement concerns application of the amended enforcement provision, § 500.20. Previously, the provision stated, in sum and substance, merely that DFS retained all existing enforcement powers under the regulation. The revision is dramatically altered, providing that
commission of a single act prohibited by this Part or the failure to act to satisfy an obligation required by this Part shall constitute a violation hereof. Such acts or failures include, without limitation: (1) the failure to secure or prevent unauthorized access to an individual’s or an entity’s nonpublic information due to noncompliance with any section of this Part; or (2) the material failure to comply for any 24-hour period with any section of this Part.
The immediate impact of this change is twofold. First, it intends to penalize as a standalone violation any unauthorized disclosure of Non-Public Information somehow arising out of any deficiency under an entity’s cybersecurity program. Second, it seeks to fashion multiple violations out of what would otherwise be considered a single course of conduct. While there is some question about whether DFS possesses the authority to structure the revised enforcement provision in this manner,[2] regulated entities nonetheless would be wise to treat this provision, at a minimum, as important enforcement guidance.
Footnotes
[1] 23 N.Y.C.R.R. § 500 et seq. Unlike its first iteration, which was issued solely pursuant to the Financial Services Law, this amendment now takes its authority from the Banking Law, Insurance Law, and Financial Services Law. See id.
[2] See, e.g., Am. Transit Ins. Co. v. Corcoran, 76 N.Y.2d 977, 980 (1990) (“Pyramiding of penalties, i.e., treating continuing violations as separate daily transgressions, has been upheld only where cumulative penalties are expressly authorized by statute.”) (citation omitted).
Matthew L. Levine is now a partner at Elliott Kwok Levine & Jaroslaw LLP. Formerly, he served as Executive Deputy Superintendent for Enforcement for the New York State Department of Financial Services.
The NYDFS Amendments Are Part of Trend of Regulatory Focus on Cybersecurity Governance by Senior Management and Boards
Justin Herring (©Hollenshead: Courtesy of NYU Photo Bureau)
Although NYDFS’s original cybersecurity regulation already had several governance requirements, the newly amended regulation extends that with several new governance requirements focused on boards and senior executives. It now requires boards to exercise oversight of the cybersecurity program, and that the CISO regularly report on cybersecurity to senior executives and the board. And it requires that each covered company’s CISO and “highest ranking executive” sign the annual compliance certification. These new governance responsibilities have teeth, as we can see in several NYDFS enforcement actions charging companies with falsely certifying compliance with its cybersecurity regulation and the recent SEC action charging SolarWinds and its CISO with misrepresenting the company’s cybersecurity program.
Similarly, in final and pending cyber regulations from other regulators, there also is a focus on the board and executive reporting and oversight, including the SEC’s public company disclosure rule, pending SEC rules for investment advisors and broker-dealers, and other emerging rules from both state and federal financial services regulators. Across different agencies and different laws, regulators are demonstrating a clear affinity for rules that require boards and senior executives to stay informed and be responsible for overseeing cyber risk management.
Companies – especially large organizations with multiple regulators – should consider designing a board and executive reporting process that is sufficiently robust so as to be “future proofed.” A documented, clear process and cadence for reporting that complies with today’s requirements and won’t have to be redesigned as more regulations with similar requirements are finalized.
Justin Herring is a Partner at Mayer Brown LLP. Herring was previously at the NYDFS’s Cybersecurity Division, where he served as the unit’s first leader, and the head of the Cybercrime Unit at the U.S. Attorney’s Office for the District of New Jersey.
(©Hollenshead: Courtesy of NYU Photo Bureau)
The views, opinions and positions expressed within all posts are those of the author(s) alone and do not represent those of the Program on Corporate Compliance and Enforcement (PCCE) or of the New York University School of Law. PCCE makes no representations as to the accuracy, completeness and validity or any statements made on this site and will not be liable any errors, omissions or representations. The copyright of this content belongs to the author(s) and any liability with regards to infringement of intellectual property rights remains with the author(s).