October 22, 2021
To: All Entities Regulated by the Department of Financial Services (“DFS”)
Re: Adoption of an Affiliate’s Cybersecurity Program
Cybersecurity is a central regulatory focus for DFS, from examinations to enforcement. On March 1, 2017, DFS set minimum cybersecurity standards for New York’s financial services industry by promulgating the nation’s first cybersecurity regulation for financial services, 23 NYCRR Part 500 (the “Cybersecurity Regulation”). That regulation requires DFS-regulated entities (“Covered Entities”)[1] to establish risk-based cybersecurity programs to protect their information systems[2] and the nonpublic information[3] maintained on them. Cyber risk has increased dramatically since 2017, which underscores the need for robust cybersecurity programs.
The Cybersecurity Regulation permits Covered Entities to adopt “the relevant and applicable provisions” of the cybersecurity program of an affiliate[4] provided that such provisions satisfy the requirements of the Cybersecurity Regulation. 23 NYCRR § 500.2(c). Many Covered Entities are affiliates of other companies – parents, subsidiaries, etc. – and often share information technology and cybersecurity resources and programs with those affiliates. Adoption can occur, for instance, when a DFS-licensed subsidiary uses a shared service provided by the parent corporation. Examples of Covered Entities that have adopted all or part of an affiliate’s cybersecurity program include the New York subsidiary of a national insurance company, a virtual currency entity created by a corporate parent specifically to engage in that business activity, and the New York branch of a foreign bank.
An adopted cybersecurity program becomes the cybersecurity program of the Covered Entity and consequently must comply with the Cybersecurity Regulation. Id. Although a Covered Entity may adopt an affiliate’s cybersecurity program in whole or in part, the Covered Entity may not delegate responsibility for compliance with the Cybersecurity Regulation to an affiliate. The Covered Entity is responsible for complying with the Cybersecurity Regulation’s requirements regarding its cybersecurity program regardless of whether its cybersecurity program is its own or was adopted in whole or in part from an affiliate. Moreover, a Covered Entity’s obligations to demonstrate compliance with the Cybersecurity Regulation is the same whether it adopts the cybersecurity program of an affiliate or implements its own cybersecurity program. Thus, if a Covered Entity adopts the cybersecurity program of an affiliate or portions thereof, DFS may examine the adopted portions of the affiliate’s cybersecurity program to ensure that the Covered Entity is complying with the Cybersecurity Regulation whether or not the affiliate is regulated by DFS.
Covered Entities are required to make available to DFS, upon request, all “documentation and information” relevant to their cybersecurity programs. 23 NYCRR § 500.2(d). This includes all documentation and information relevant to cybersecurity programs adopted from an affiliate. If a Covered Entity adopts the cybersecurity program of an affiliate not regulated by DFS, that Covered Entity must provide documentation and information evidencing that the affiliate’s cybersecurity program meets the requirements of the Cybersecurity Regulation. For example, foreign bank branches and representative offices have head offices which are not directly regulated by DFS and are located outside the United States. These head offices sometimes have information systems that support and maintain the nonpublic information of the DFS-regulated New York branch or representative office of the foreign bank. The foreign bank branches and representative offices, therefore, usually adopt the cybersecurity program of their head office. In these cases, the foreign bank branches and representative offices must make available to DFS examiners all documentation and information relevant to the adopted portions of their head offices’ cybersecurity programs so that DFS examiners can evaluate the Covered Entities’ compliance with the Cybersecurity Regulation.
One way to ensure that DFS will be able to access the requisite documentation and information is to ensure that any agreement between a Covered Entity and its affiliate provides for such access[5]. DFS must have access, at a minimum, to documentation including the affiliate’s cybersecurity policies and procedures, risk assessments, penetration testing and vulnerability assessment results, and any third party audits that relate to the adopted portions of the cybersecurity program of the affiliate. The Covered Entity must provide documentation from the affiliate sufficient to demonstrate that the portions of cybersecurity program adopted by the Covered Entity comply with the Cybersecurity Regulation. An agreement should require the affiliate to comply with the requirements of the Cybersecurity Regulation with respect to any of the affiliate’s information systems that are shared with the Covered Entity.
In conclusion, a Covered Entity may adopt the cybersecurity program of an affiliate. A DFS examination or investigation of the Covered Entity may include a review of the adopted portions of the cybersecurity program of that affiliate, and the Covered Entity is responsible for providing DFS with documentation and information sufficient to enable DFS to determine whether the Covered Entity is compliant with the Cybersecurity Regulation.
[1] A Covered Entity, for purposes of the Cybersecurity Regulation, is “any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.” 23 NYCRR §500.1(c).
[2] An information system, for purposes of the Cybersecurity Regulation, is “a discrete set of electronic information resources organized for the collection, processing, maintenance, use, sharing, dissemination or disposition of electronic information, as well as any specialized system such as industrial/process controls systems, telephone switching and private branch exchange systems, and environmental control systems.” 23 NYCRR § 500.1(e).
[3] Nonpublic information, for purposes of the Cybersecurity Regulation, is “all electronic information that is not publicly available information and is (1) business related information . . .; (2) any information concerning an individual which because of name, number, personal mark, or other identifier can be used to identify such individual, in combination with any one or more of the following data elements: (i) social security number, (ii) drivers’ license number or non-driver identification card number, (iii) account number, credit or debit card number, (iv) any security code, access code or password that would permit access to an individual’s financial account, or (v) biometric records; (3) any information or data, except age or gender, in any form or medium created by or derived from a health care provider or an individual and that relates to (i) the past, present or future physical, mental or behavioral health or condition of any individual or a member of the individual’s family, (ii) the provision of health care to any individual, or (iii) payment for the provision of health care to any individual.” 23 NYCRR § 500.1(g).
[4] An affiliate, for purposes of the Cybersecurity Regulation, is defined broadly as “any person that controls, is controlled by or is under common control with another person.” 23 NYCRR § 500.1(a). “Control” is defined as “the possession, direct or indirect, of the power to direct or cause the direction of the management and policies of a person, whether through the ownership of stock of such person or otherwise.” Id.
[5] Since, pursuant to the Cybersecurity Regulation, an affiliate is not considered a third party service provider, a Covered Entity’s use of services from an affiliate that involve nonpublic information and/or information systems will be considered an adoption, in whole or in part, of an affiliate’s cybersecurity program regardless of whether there is a formal, written agreement. See 23 NYCRR §500.1(n) (“Third party service provider(s) means a person that (i) is not an affiliate of the covered entity, (ii) provides services to the covered entity, and (iii) maintains, processes or otherwise is permitted access to nonpublic information through its provision of services to the covered entity.”); 23 NYCRR §500.2(c) (“A covered entity may meet the requirement(s) of this Part by adopting the relevant and applicable provisions of a cybersecurity program maintained by an affiliate . . . .”).