From: Lexology
Edward R. McNicholas, Colleen Theresa Brown and Grady Nye | Sidley Austin LLP
On June 20, 2017, the New York State Department of Financial Services (“NYDFS”) expanded its set of frequently asked questions (“FAQs”) and answers concerning its recently finalized Cybersecurity Regulations (23 NYCRR 500.01), which set forth minimum requirements for NYDFS-regulated entities to address cybersecurity risk. The now 17 questions included in the release address the types of entities that fall within the scope of the Regulations, the notice requirements attending a Cybersecurity Event (as defined in the Regulations), the annual certification requirement, and additional specific elements of the rules.
Significantly, NYDFS made clear its view that New York branches of foreign banks are covered by the Cybersecurity Regulations with respect to the Nonpublic Information of such branches and the Information Systems serving such branches. NYDFS also confirmed that it will only accept annual certifications demonstrating full (rather than partial) compliance with the Regulations. With respect to reportable Cybersecurity Events, NYDFS clarified that such events include reportable data breaches, events involving “material consumer harm,” and even unsuccessful attacks on a Covered Entity.
Other key points addressed in the FAQs include:
Leave a Reply