March 6, 2018

New York Department of Financial Services Updates Cybersecurity Guidance: Coverage of Cybersecurity Requirements Addressed in 4 New FAQs

Robinson+Cole Data Privacy + Security Insider

+ Follow Contact

Send

Embed

On March 1, 2018, the New York Department of Financial Services (NYDFS) “cybersecurity regulations” (23 NYCRR Part 500) took effect, placing a number of cybersecurity requirements on banks, insurance companies, and other financial services institutions and licensees regulated by the NYDFS (“Covered Entities”).

To aid in compliance with the regulation, the NYDFS recently added new guidance regarding Covered Entitles to its Frequently Asked Questions. The FAQs were last updated in December 2017, and the revisions include four new questions, which are summarized below:

Are Exempt Mortgage Servicers Covered Entities under 23 NYCRR 500?

An Exempt Mortgage Servicer “will not fit the definition of a Covered Entity…” However, the NYDFS “strongly encourages all financial institutions, including exempt Mortgage Servicers, to adopt cybersecurity protections consistent with the safeguards and protections of 23 NYCRR Part 500.”

Are Not-for-profit Mortgage Brokers Covered Entities under 23 NYCRR 500?

Yes. Not-for-profit Mortgage Brokers are Covered Entities under 23 NYCRR 500.

Do Covered Entities have any obligations when acquiring or merging with a new company?

NYDFS provides the following guidance regarding mergers and acquisitions: “When Covered Entities are acquiring or merging with a new company, Covered Entities will need to do a factual analysis of how [various regulatory requirements] apply to a particular acquisition. Some important considerations include, but are not limited to, the type of business of the target company, the target company’s risk for cybersecurity including its availability of personally identifiable information, the safety and soundness of the Covered Entity, and the integration of data systems.” NYDFS also emphasizes the need to have a serious due diligence process with cybersecurity being a serious priority throughout the acquisition process.

Are Health Maintenance Organizations (HMOs) and continuing care retirement communities (CCRCs) Covered Entities?

Yes. Both HMOs and CCRCs are Covered Entities. As detailed in new FAQ 4, HMOs and CCRCs are Covered Entities subject to DFS authority by virtue of New York’s Public Health and Insurance laws.

The NYDFS Cybersecurity FAQs are available here.

[View source.]

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

Written by:

Robinson+Cole Data Privacy + Security Insider

Contact + Follow

Norman Roos

+ Follow

less

Published In:

Banking Sector

+ Follow

Chief Information Security Officer (CISO)

+ Follow

Covered Entities

+ Follow

Cybersecurity

+ Follow

Cybersecurity Framework

+ Follow

Data Protection

+ Follow

Financial Institutions

+ Follow

Financial Services Industry

+ Follow

Information Technology

+ Follow

Insurance Industry

+ Follow

NYDFS

+ Follow

Risk Management

+ Follow

General Business

+ Follow

Finance & Banking

+ Follow

Insurance

+ Follow

Privacy

+ Follow

Science, Computers & Technology

+ Follow

less

Robinson+Cole Data Privacy + Security Insider on:

New York Department of Financial Services Updates Cybersecurity Guidance: Coverage of Cybersecurity Requirements Addressed in 4 New FAQs

Related Posts

Latest Posts

Written by:

Published In:

Robinson+Cole Data Privacy + Security Insider on:

"My best business intelligence, in one easy email…"