NYDFS releases new updates to cybersecurity regulation FAQs

Privacy/Cyber Risk & Data Security NYDFS State Issues 23 NYCRR Part 500

On February 21, the New York Department of Financial Services (NYDFS) updated its answers to FAQs relating to 23 NYCRR Part 500, which was last updated in December 2017. As previously covered in InfoBytes, 23 NYCRR Part 500 took effect March 1, 2017, and establishes cybersecurity requirements for banks, insurance companies, and other financial services institutions. This week’s updates to the FAQs add the following guidance:

• Due to increasing cybersecurity risks facing financial institutions, NYDFS “strongly encourages all financial institutions, including exempt Mortgage Servicers, to adopt cybersecurity protections consistent with the safeguards and protections of 23 NYCRR Part 500”;
• Not-for-profit mortgage brokers are Covered Entities under the cybersecurity regulation;
• Covered Entities, when acquiring or merging with a new company, must conduct a factual analysis of how the cybersecurity regulation applies to the acquisition or merger.  In addition, NYDFS emphasized that Covered Entities must have in place serious due diligence processes and ensure cybersecurity is a priority; and
• Health Maintenance Organizations and continuing-care retirement communities are Covered Entities and must comply with the cybersecurity regulation requirements.

As previously covered in InfoBytes, on January 22, NYDFS issued a reminder to all NYDFS-regulated banks, insurance companies, and other financial services institutions that the deadline to file cybersecurity certifications of compliance was February 15.