The New York Department of Financial Services (NYDFS) recently updated frequently asked questions (FAQs) about its cybersecurity regulations, 23 NYCRR 500, to address four new issues. NYDFS published its initial set of FAQs on April 24, 2017. Please see prior Ballard Spahr Alerts on the NYDFS' cybersecurity regulations here and here.

In addition to FAQs, the NYDFS also released a timeline of key deadlines through March 1, 2019, for compliance with different requirements imposed by the regulations. These deadlines include:

• August 28, 2017: Cybersecurity program (Section 500.12), cybersecurity policy (500.03), chief information security officer (500.04(a)), access privileges (500.07), cybersecurity personnel and intelligence (500.10); and incident response plan (500.16)

• September 27, 2017: Filing of Notice of Exemptions (500.19(e))

• February 15, 2018: All "Covered Entities" are required to submit their first annual certifications

• March 1, 2018: Chief Information Security Officer reporting to the board of directors (500.04(b)), penetration testing and vulnerability assessments (500.05), risk assessments (500.09), multi-factor authentication (500.12), and cybersecurity awareness training (500.14(a)(2))

• September 3, 2018: Audit trails (500.06), application security (500.08), data retention (500.13), policies and procedures to monitor the activity of authorized users (500.14(a)(1)), and encryption (500.15)

• March 1, 2019: Third-party service provider security policy (500.11)

As these compliance deadlines draw closer, financial institutions should review all of the FAQs to confirm that they have aligned their policies, procedures, and practices with the NYDFS' interpretation of the regulations.

Below are a list of the new FAQs and summaries of each entry:

1. When is an unsuccessful attack a Cybersecurity Event that has or had "a reasonable likelihood of materially harming any material part of the normal operation(s) of the Covered Entity" under the reporting requirements of 23 NYCRR Section 500.17(a)(2)?

This first new FAQ instructs organizations to use good judgment when deciding whether to report unsuccessful attacks. Because it seeks to gather and share information about "especially serious unsuccessful attacks," NYDFS encourages organizations to assess whether the response to the incident required measures or resources beyond their usual procedures, such as "exceptional attention by senior personnel or the adoption of extraordinary non-routine precautionary steps." The NYDFS says it does not intend to penalize Covered Entities that were acting in good faith when making judgments about which unsuccessful events to report.

2. Are the New York branches of out-of-state domestic banks required to comply with 23 NYCRR Part 500?

This second new FAQ clarifies that the home state of a state-chartered bank is primarily responsible for its supervision, and NYDFS defers to the home state supervisors in the examination of New York branches, but encourages all financial institutions to adopt cybersecurity protections.

3. How must a Covered Entity address cybersecurity issues with respect to its subsidiaries and other affiliates?

This third new FAQ addresses the need to evaluate any risks to Covered Entities' information systems or any nonpublic information stored on a subsidiary's or affiliate's systems. In conducting the required risk assessment and creating its cybersecurity program and policy, a Covered Entity must address the risks posed by their subsidiaries and affiliates.

4. If a Covered Entity qualifies for a limited exemption, does it need to comply with 23 NYCRR Part 500?

This fourth new FAQ explains that Covered Entities that qualify for exemptions are only exempt from complying with certain provisions. The Covered Entity still must comply with the applicable provisions listed in the designated exemption. The exceptions were designed to be tailored for particular circumstances, not to allow Covered Entities to avoid all cybersecurity requirements.

These four new FAQs join the existing set of questions, which are listed below:

• Under 23 NYCRR 500.17(a), is a Covered Entity required to give notice to the Department when a Cybersecurity Event involves harm to consumers?

• Is a Covered Entity required to give notice to consumers affected by a Cybersecurity Event?

• May a Covered Entity adopt portions of an Affiliate's cybersecurity program without adopting all of it?

• May the certification requirement of 23 NYCRR 500.17(b) be met by an Affiliate?

• To the extent a Covered Entity uses an employee of an Affiliate as its Chief Information Security Officer ("CISO"), is the Covered Entity required to satisfy the requirements of 23 NYCRR 500.04(a)(2)-(3)?

• Are the DFS-authorized New York branches, agencies and representative offices of out-of-country foreign banks required to comply with 23 NYCRR Part 500?

• Where interrelated requirements under 23 NYCRR Part 500 are subject to different transitional periods, when and to what extent are Covered Entities required to comply with currently applicable requirements that are impacted by separate requirements for which the applicable transitional period has not yet ended?

• Is a Covered Entity required to certify compliance with all the requirements of 23 NYCRR 500 on February 15, 2018?

• May a Covered Entity submit a certification under 23 NYCRR 500.17(b) if it is not yet in compliance with all applicable requirements of Part 500?

• What constitutes "continuous monitoring" for purposes of 23 NYCRR 500.05?

• When is a Covered Entity required to report a Cybersecurity Event under 23 NYCRR 500.17(a)?

• How should a Covered Entity submit Notices of Exemption, Certifications of Compliance, and Notices of Cybersecurity Events?

• Can an entity be both a Covered Entity and a Third-Party Service Provider under 23 NYCRR Part 500?

• Are all Third Party Service Providers required to implement Multi-Factor Authentication and encryption when dealing with a Covered Entity?