After compliance certifications were to be filed by February 15, 2018, the New York Department of Financial Services (“DFS” or “Department”) answered some questions that had been on the minds of many companies prior to certification. Specifically, the DFS issued four more answers to frequently asked questions about the DFS Cybersecurity Regulation (“Regulation”). These four, of now 30 FAQs, address how the Regulation is to be applied to Exempt Mortgage Servicers, Not-for-Profit Mortgage Brokers, health maintenance organizations (“HMOs”) and continuing care retirement communities (“CCRCs”), and how the Regulation should be considered during the process of mergers and acquisitions.
The Regulation applies to those operating or required to operate under New York insurance, finance and banking laws (“Covered Entities”), but the Regulation has widespread effect beyond the Covered Entities themselves.
The Regulation required a number of cybersecurity and IT policies and procedures to be in place by August 28, 2017. On or before February 15, 2018, Covered Entities were to certify to the DFS Superintendent compliance thus far with the Regulation. Certain ongoing cybersecurity activities and other IT controls were to be in place by March 1, 2018, and additional and different IT controls in place by September 3, 2018. By March 1, 2019, Covered Entities must establish a comprehensive plan to review Third-Party Service Providers who handle Nonpublic Information for the Covered Entity. The complete Regulation can be found at: http://www.dfs.ny.gov/legal/regulations/adoptions/dfsrf500txt.pdf.
The DFS’ Answers to the Four New FAQs:
- Are Exempt Mortgage Servicers Covered Entities under 23 NYCRR 500?
Under N.Y. Bank Law § 590(2)(b-1), an exempt entity will need to prove its “exempt organization” status. Since the notification is not an authorization from the Department, an Exempt Mortgage Servicer, under N.Y. Bank Law § 590(2)(b-1), will not fit the definition of a Covered Entity under 500.01(c). However, Exempt Mortgage Loan Servicers that also hold a license, registration or received approval under the provisions of Part 418.2(e) are required to prove exemption and comply with the Regulation. With respect to the Regulation, given the ever-increasing cybersecurity risks that financial institutions face, the DFS strongly encourages all financial institutions, including Exempt Mortgage Servicers, to adopt cybersecurity protections consistent with the safeguards and protections of 23 NYCRR Part 500.
- Are Not-for-Profit Mortgage Brokers Covered Entities under 23 NYCRR 500?
Yes. Not-for-Profit Mortgage Brokers are Covered Entities under 23 NYCRR 500.3. NYCRR Part 39.4(e) provides that mortgage brokers “which seek exemption may submit a letter application” to the Mortgage Banking unit of the Department at the address set forth in section 1.1 of Supervisory Policy G 1, “together with such information as may be prescribed by” the Superintendent. As this authorization is necessary for a Not-for-Profit Mortgage Broker, it is a Covered Entity under 23 NYCRR 500.
- Do Covered Entities have any obligations when acquiring or merging with a new company?
Section 500.09(a) states that the “Risk Assessment shall be updated as reasonably necessary to address changes to the Covered Entity’s Information Systems, Nonpublic Information or business operations.” Furthermore, Section 500.08(b) states that the institution’s application security “procedures, guidelines and standards shall be periodically reviewed, assessed and updated as necessary by the CISO (or a qualified designee) of the Covered Entity.” As such, when Covered Entities are acquiring or merging with a new company, they will need to do a factual analysis of how these regulatory requirements apply to that particular acquisition. Some important considerations include, but are not limited to, what business the acquired company engages in; the target company’s risk for cybersecurity, including its availability of PII; the safety and soundness of the Covered Entity; and the integration of data systems. The Department emphasizes that Covered Entities need to have a serious due diligence process, and cybersecurity should be a priority when considering any new acquisitions.
- Are HMOs and CCRCs Covered Entities?
Yes. Both HMOs and CCRCs are Covered Entities. Pursuant to the Public Health Law, HMOs must receive authorization and prior approval of the forms they use and the rates they charge for comprehensive health insurance in New York. The Public Health Law subjects HMOs to DFS authority by making provisions of the Insurance Law applicable to them. CCRCs are required by Insurance Law Section 1119 to have contracts and rates reviewed and authorized by the DFS. The Public Health Law also subjects HMOs and CCRCs to the examination authority of the Department. As this authorization is fundamental to the ability to conduct their businesses, HMOs and CCRCs are Covered Entities because they are “operating under or required to operate under” DFS authorizations pursuant to the Insurance Law. Moreover, since these entities have sensitive, private data, their compliance with cybersecurity protection is necessary.
The following web address has the complete list of all FAQs issued by the DFS concerning the Regulation: http://www.dfs.ny.gov/about/cybersecurity_faqs.htm.