by Greg Andres, Matthew Bacal, Martine Beamon, Angela Burgess, Robert Cohen, Gabriel Rosenberg, Margaret Tahyar, James Haldin, Matthew Kelly, and Daniel Newman
The New York DFS issued new guidance regarding a covered entity’s reliance on an affiliate’s cybersecurity program. The guidance explains DFS’s view that, when a covered entity relies on an affiliate’s program, DFS has authority to examine the affiliate’s program.
Since 2017, New York’s Cybersecurity Regulation, 23 N.Y.C.R.R. Part 500, has required any “Covered Entity”—that is, any entity regulated by New York’s Department of Financial Services (DFS)—to maintain a risk-based cybersecurity program consistent with certain prescriptive technical and procedural requirements. These requirements, the DFS has maintained, are designed to ensure that the Covered Entity’s program adequately protects the Covered Entity’s information systems and the nonpublic information maintained on them.