If you’ve been following our coverage of the New York Department of Financial Services’ (NYDFS) Cybersecurity Requirements, you should have a reasonable grasp of what it will do, who it applies to, and who is exempt from it.
However, law firm Harter Secrest & Emery LLP believes that not all entities supervised by the NYDFS are aware of their obligations. In an article published last month, it wrote that confusion between the Regulation’s rules surrounding exempt entities and New York’s Banking Law § 590 may cause some organizations to incorrectly infer that they don’t need to comply with the Regulation.
Are you exempt?
The NYDFS lays out nine types of entities across five categories that are exempt from the Cybersecurity Requirements. Apart from entities that fall under the final category, special insurance organizations and certain reinsurers, the exemptions only apply to certain sections of the Regulation. Additionally, even if you are exempt from one or more of these categories, you must file a Notice of Exemption with the NYDFS within 30 days of that determination.
Despite this, Harter Secrest & Emery claim that some organizations are seeing the word “exempt” next to their name under the NYDFS’ “Who We Supervise” webpage and concluding that they don’t have to take any further action.
This is because, under New York Banking Law § 590, entities “organized under federal law or the laws of a state other than New York” are exempt from its registration requirement. However, that law applies only to the registration requirement, not from other regulations issued by the State of New York.
According to Harter Secrest & Emery, this is “a prime example of regulatory creep: a set of administrative rules giving rise to unintended consequences.” It writes:
Exempt entities may not have been the intended target of the regulations, but the possibility that federal and out-of-state banks, credit unions, and trust companies could nonetheless be subject to New York’s cybersecurity regulations via Banking Law § 590 has sown significant confusion in the industry.
[The NYDFS] may (or may not) have intended to include exempt entities under the umbrella of the new regulations, but any definitive answer on the subject will have to come out of guidance from [the NYDFS], amendment of the regulations, enforcement, or legal challenges to the regulations.
Cybersecurity regulatory creep
Regulatory creep is also responsible for hampering a proposal first put forward last year by the Federal Reserve, Treasury, and Federal Deposit Insurance Corporation (FDIC) to create enhanced cyber risk management standards in the financial industry. The proposal intends to create specific rules for five categories of cyber standards: cyber risk governance; cyber risk management; internal dependency management; external dependency management; and incident response, cyber resilience, and situational awareness.
After the FDIC called for comment on the proposal, a number of companies voiced their concern. For instance, IHS Markit called for more clarity on who would be affected by it, while the Risk Management Association said it was too prescriptive.
In January, the regulators extended the deadline for comments until February 17, 2017. They have not provided any updates on the proposal since then.
Want to learn more?
If you’re looking for more information on the Regulation, you should register for IT Governance’s upcoming webinars in our series on the NYDFS Cybersecurity Requirements.
Our next webinar, NY State’s cybersecurity requirements for risk management, security of applications, and the appointed CISO, will take place on June 28, 2017, from 1:15 pm (ET)/10:15 am (PT).
If you can’t make the webinar, it will be available to download shortly after it finishes. On our website, you can also find past webinars in the series, which you can download or watch online.