Financial institutions regulated by the New York Department of Financial Services (DFS)—referred to in this post as “Covered Entities”—should by now be well familiar with the department’s sweeping cybersecurity regulation, 23 NYCRR 500, that became effective on March 1, 2017. The regulation delves into a level of detail (e.g., multi-factor authentication and encryption requirements) and requires a level of senior level attention (e.g., annual attestation of compliance, signed by the Board of Directors or a Senior Officer) heretofore unseen in U.S. federal or state regulations.

Perhaps as some relief to Covered Entities, the regulation came with a two-year, phased implementation. That two-year period is quickly winding down as we fast approach the final implementation date of March 1, 2019.

Specifically, pursuant to Section 500.11 of the regulation, by March 1, 2019, Covered Entities must have implemented written policies and procedures designed to ensure the security of Information Systems and Nonpublic Information Systems that are accessible to, or held by, Third Party Service Providers (TSPs).

“Third Party Service Provider(s)” are broadly defined to mean a Person that (a) is not an Affiliate of a Covered Entity, (b) provides services to the Covered Entity, and (c) maintains, processes, or otherwise is permitted to access Nonpublic Information through its provision of services to the Covered Entity. (Recall also that Nonpublic Information includes sensitive business information, not just consumer data).

The policies and procedures required by Section 500.11 must address:

• The identification and risk assessment of TSPs;
• Minimum cybersecurity practices required to be met by such TSPs;
• Due diligence processes used to evaluate the adequacy of TSPs’ cybersecurity practices;
• Periodic assessment of such TSPs based on the risk they present and the continued adequacy of their cybersecurity practices; and
• Relevant guidelines for due diligence and/or contractual protections relating to TSPs, including (a) guidelines addressing access controls (including multi-factor authentication); (b) TSP policies and procedures for use of encryption, as required by the regulation; (c) notice requirements related to Cybersecurity Events; and (d) representations and warranties regarding the TSP’s cybersecurity policies and procedures.

Prior to adopting such policies and procedures, Covered Entities must have completed a Risk Assessment that considers the cybersecurity risks posed by the Covered Entity’s TSPs.

A Covered Entity’s failure to comply with these requirements could subject the Covered Entity to an enforcement action by the DFS, which could include such remedies as a cease and desist order and civil money penalties (including $2,500 per day for non-depositories and $5,000 per day for depository institutions; significantly greater penalties can apply for reckless and knowing violations). The stakes for non-compliance with these TSP requirements seem particularly high these days, as the federal intelligence agencies and the Department of Homeland Security have, in the past couple of years, publicly revealed attempts by Russian hackers to infiltrate U.S. critical infrastructure by way of targeting the smaller, less sophisticated contractors that service major utilities (see this recent Wall Street Journal article). In light of these revelations regarding the potential security vulnerabilities introduced by TSPs (particularly smaller ones), we anticipate that regulators like the DFS will take an aggressive stance should a regulated entity’s cybersecurity breach be caused by what are deemed as insufficient TSP oversight/controls.

For Covered Entities that have not yet concluded the exercise of evaluating their TSPs and/or memorializing their TSP policies and procedures to a written form that complies with the Cybersecurity Regulation, professionals in Pillsbury’s market-leading cybersecurity, financial services regulation, and Global Sourcing and Technology Transactions practices are uniquely situated to assist with this effort. Our professionals in these practices have consistently led the way in advising financial institutions on technology-facing regulatory issues—in particular as regards cybersecurity regulations—and have advised financial institutions (and other major corporations) on strategic transactions with their TSPs to the tune of over $500 billion since 1988.

Other Changes Afoot at DFS
In addition to this approaching March 1 compliance date, Covered Entities are also reminded that the current superintendent of the New York Department of Financial Services, Maria Vullo, is poised to step down from her post effective February 1, 2019. Superintendent Vullo has led the DFS for approximately three years, during which time the DFS enacted 23 NYCRR 500.

New York Governor Andrew Cuomo recently nominated his chief of staff, Linda Lacewell, to succeed Superintendent Vullo. As a former prosecutor, we would expect Lacewell to continue with an aggressive and enforcement-minded approach towards DFS-regulated financial institutions. This seems all the more likely in the wake of the Consumer Financial Protection Bureau (CFPB) taking a markedly less active stance on industry enforcement and regulation at the federal level following the commencement of the Trump administration.