Cyber Laws And Regulations

[Jeannine Lander]

Sincethe regulation was adopted, the cybersecurity landscape has changed tremendously as threat actors have become more sophisticated and more prevalent, cyberattacks have become easier to perpetrate (such as with ransomware as a service) and more expensive to remediate, and additional cybersecurity controls are available to manage cyber risk at reasonable cost. Moreover, the Department has found, from investigating hundreds of cybersecurity incidents, that there is a tremendous amount that organizations can do to protect themselves. As a result, Part 500 was amended again, effective November 1, 2023.

This Resource Center is designed to help explain how to comply with the Cybersecurity Regulation. Among other things, it provides links to industry guidance, FAQs and provides detailed information on how to submit cybersecurity-related filings, including notifications to DFS regarding compliance, cybersecurity incidents, and exemption status.

This Resource Center is frequently updated, and you may sign up for email updates on important regulatory guidance, cybersecurity alerts, and other information related to cybersecurity in the financial services sector by going to the DFS Email Updates Signup Page and subscribing to Cybersecurity Updates. These emails will come from the email address [email protected].

Yes. Both HMOs and CCRCs are Covered Entities. Pursuant to the Public Health Law, HMOs must receive authorization and prior approval of the forms they use and the rates they charge for comprehensive health insurance in New York. The Public Health Law subjects HMOs to DFS authority by making provisions of the Insurance Law applicable to them. CCRCs are required by Insurance Law Section 1119 to have contracts and rates reviewed and authorized by DFS. The Public Health Law also subjects HMOs and CCRCs to the examination authority of the Department. As this authorization is fundamental to the ability to conduct their businesses, HMOs and CCRCs are Covered Entities because they are "operating under or required to operate under" DFS authorizations pursuant to the Insurance Law, and whether or not they are regulated by another governmental entity is irrelevant to this determination.

Yes, they are considered Covered Entities and, as such, must comply with Part 500. Only the Information Systems supporting the branch, agency or representative office, and the Nonpublic Information of the branch, agency or representative office, are subject to the applicable requirements of Part 500, whether through the branch's, agency's, or representative office's development and implementation of its own cybersecurity program or through the adoption of an Affiliate's cybersecurity program.

A Covered Entity may adopt an Affiliate's cybersecurity program in whole or in part as provided for in Section 500.2(d), as long as the Covered Entity's overall cybersecurity program meets all requirements of Part 500. The Covered Entity remains responsible for full compliance with the requirements of Part 500. To the extent a Covered Entity relies on an Affiliate's cybersecurity program in whole or in part, that program must be made available for examination by the Department.

To the extent a Covered Entity utilizes an employee of an Affiliate or Third-Party Service Provider to serve as the Covered Entity's CISO for purposes of Section 500.4(a), the Covered Entity retains full responsibility for compliance with the requirements of Part 500 at all times, including ensuring that the CISO responsible for the Covered Entity is performing the duties consistent with this Part.

Effective continuous monitoring could be attained through a variety of technical and procedural tools, controls and systems. There is no specific technology that is required to be used in order to have an effective continuous monitoring program. Effective continuous monitoring generally has the ability to continuously, on an ongoing basis, detect changes or activities within a Covered Entity's Information Systems that may create or indicate the existence of cybersecurity vulnerabilities or malicious activity. In contrast, non-continuous monitoring of Information Systems, such as through periodic manual review of logs and firewall configurations, would not be considered to constitute "effective continuous monitoring" for purposes of Section 500.5.

No. The Department emphasizes the importance of a thorough due diligence process in evaluating the cybersecurity practices of a Third-Party Service Provider. Solely relying on the Certification of Compliance will not be adequate due diligence. Covered Entities must assess the risks each Third-Party Service Provider poses to their Nonpublic Information and Information Systems and effectively address those risks.

Yes. Section 500.17(a) requires a Covered Entity that has been impacted by a Cybersecurity Event that occurred at one of its Third-Party Service Providers to notify DFS if the Covered Entity is also required to notify any government body, self-regulatory agency, or any other supervisory body. This is required of the Covered Entity even if the Third-Party Service Provider also notifies DFS. Reporting Cybersecurity Events such as these enables the Department to more rapidly identify techniques used by attackers and alert industry, respond quickly to new threats, and continue to protect consumers and the financial services industry.

A Covered Entity may not submit a certification under Section 500.17(b) unless the Covered Entity was in material compliance with all applicable requirements of Part 500 for the calendar year for which it is certifying. Staring with notifications due by April 15, 2024, a Covered Entity that was not in material compliance with the Cybersecurity Regulation for the preceding calendar year must file an Acknowledgment of Noncompliance pursuant to Section 500.17(b)(1)(ii).

It depends on the exemption for which the Covered Entity qualifies. If it qualifies for a full exemption pursuant to Section 500.19(b), (e), or (g), and submitted a Notice of Exemption, the Covered Entity does not need to submit an annual notification regarding its compliance. If, however, the Covered Entity qualifies for a limited exemption and filed a Notice of Exemption pursuant to Sections 500.19(a), (c) or (d), it does need to submit an annual notification regarding its compliance.

If the Covered Entity filed a Notice of Exemption under sections 500.19(a), (c) or (d), it is still required to file an annual notification regarding its compliance with the sections of the Cybersecurity Regulation that apply to it as specified in the regulation. Consequently, if a Covered Entity filed for an exemption under subsection (a) of Section 500.19, it is still required to: maintain a cybersecurity program as required in Section 500.2; maintain a cybersecurity policy as required in Section 500.3; limit access privileges as required in Section 500.7; conduct a Risk Assessment as required by Section 500.9; implement a Third-Party Service Provider policy as required by Section 500.11; limit data retention as required in Section 500.13; and provide notices to DFS as required by Section 500.17, which includes submitting cybersecurity incident and extortion payment notifications and annual notifications regarding its compliance.

If you filed for an exemption under subsections (c) or (d) of Section 500.19, you are still required to: conduct a Risk Assessment as required by Section 500.9; implement a Third-Party Service Provider policy as required by Section 500.11; limit data retention as required in Section 500.13; and provide notices to the Superintendent as required by Section 500.17, which includes submitting cybersecurity incident and extortion payment notifications and annual notifications regarding its compliance.

All Covered Entities, including non-residents, are required to submit notifications of their compliance unless they qualify for a full exemption pursuant to Section 500.19(b), (e), or (f) and have filed a Notice of Exemption.

The following inactive licensees who do not otherwise qualify as a Covered Entity (for example, who do not hold another type of license) are exempt from the annual requirement to notify DFS regarding their compliance:

If none of the above apply to your situation, then as long as you are licensed by DFS, you need to comply with the Cybersecurity Regulation. However, you may qualify for the limited exemption pursuant to Section 500.19(c) which applies to any regulated entity or licensed Person that does not maintain any Information Systems and does not possess any Nonpublic Information, including information concerning former or potential customers. Even if you do qualify, Section 500.19(c) is a limited exemption that still requires compliance with certain provisions of the regulation (see table below), including the requirement to submit an annual Certification of Material Compliance or an Acknowledgment of Noncompliance.

One example of material noncompliance that would require a Covered Entity to file an Acknowledgment of Noncompliance is the failure to conduct a cybersecurity Risk Assessment since its Cybersecurity Program must be based on such a Risk Assessment. See Section 500.2(b). Another example of material noncompliance is the failure of a Covered Entity to implement procedures designed to ensure the security of information systems and non-public information that are accessible to, or held by, third-party service providers, especially in light of the significant cybersecurity risks associated with third-party service providers.

On the other hand, a single event involving an inadvertent lapse in the operation of the Cybersecurity Program of short duration and with no or minimal impact is not likely to be considered an instance of material noncompliance that would require the filing of an Acknowledgement of Noncompliance. However, several immaterial violations, when considered in the aggregate, might constitute a material violation, necessitating an Acknowledgment of Noncompliance be filed instead of a Certification of Material Compliance.

3a8082e126