Tax/Legal Quicklink:
Ask a question, make a comment

Home > Blogs > Mobility Law Blog > Posts > New York DFS Responds to Cybersecurity Rule Comments
New York DFS Responds to Cybersecurity Rule Comments
The New York State Department of Financial Services (DFS) delayed by two months the implementation of its regulation (23 NYCRR 500) on cybersecurity requirements for financial services companies. The regulations now take effect on March 1 as opposed to January 1, 2017. Companies operating in New York State and subject to the regulations have 180 days or until September 1 to be in compliance with the regulations. Companies have until February 15, 2018 to submit a certificate of compliance to the Department of Financial Services.
Worldwide ERC® had submitted a comment letter on the proposed regulation noting our concern as to the broad definition of the types of companies that would be subject to the regulations. Our issue is the rule can be interpreted as covering relocation management companies and other Worldwide ERC® members which are not the focus of the regulations. In the letter, Worldwide ERC® requested an exemption from the regulation for employee benefit service providers. We also outlined several improvements that should be made to the regulation. For a copy of the letter, please click here.
The Department of Financial Services denied the request to provide exemptions to any organizations and believed the definition of affected entities was sufficiently clear. We therefore recommend that Worldwide ERC® members operating in New York State have their legal counsel review the regulation to determine if your company should adhere to the rule. For a copy of the regulation please click here and for the DFS response to comments please click here (
While the DFS denied an exemption for employee benefit service providers and other exemption requests, the Department did make small revisions to exempt covered entities. As to the response to comments made by Worldwide ERC® and others on improvements to the regulations, below is each comment with the corresponding response.
  1. Knowledge Qualification. Section 500.11 (b) (5) requires an absolute representation that the service/product is free of viruses, etc. that would impair the security of the Covered Entity’s Information Systems or Nonpublic Information. We request that this representation be qualified as being “to the best of the knowledge of the third party service provider, …”.

    The Department of Financial Services stated, “in response to comments seeking greater clarity in regard to the requirements of this section, the Department has added a defined term, “Third Party Service Provider(s).””
  2. Scope and Confidentiality of Audits. Section 500.11 (b) (6) requires that the Covered Entity “or its agents” may perform cybersecuritys audits of the third party service provider. Such audits could put data of other persons and entities at risk. We request that this section be clarified to specify what types of audits and information may be accessed, under what circumstances, and subject to what confidentiality obligations which will assure that both the process and the results of the audit will protect the confidentiality of the underlying information. Any Covered Entity or its agents should be required to agree to strict confidentiality requirements in performing these audits.

    The DFS responded that it had “amended this section so that its requirements are more explicitly based on the Covered Entity’s Risk Assessment. In addition, DFS has eliminated a provision in section 500.11(b) that may have unintentionally suggested that Covered Entities are required to audit the systems of all third party service providers.”
  3. No Access to Information by NY State Regulators. Any third party service provider which does business in the EU would be concerned with providing unfettered access to its information systems to any Covered Entity, especially if that information might then be made available to government regulators which have jurisdiction over Covered Entities. During the recent Privacy Shield negotiations between the EU and US, it was abundantly clear that the EU is very concerned over who in the US has access to data. We request that this provision should state that the NY state regulators would not have access to information of the third party service providers.

    The DFS acknowledged the need to be in line with other regulations and made revisions accordingly.
  4. Definition of Nonpublic Information. The definition of “Nonpublic Information” is overly broad. We believe that, when the overly broad definition of “Nonpublic Information” is considered together with the requirement (i) to encrypt such information in transit and at rest; (ii) for the Covered Entity to perform annual audits with respect to how such information is protected; and (iii) the lack of an exclusion for employee information, an unduly burdensome obligation is created for both the Covered Entities and their third party service providers which will increase costs and create operational impediments without achieving the stated purpose of the regulations of promoting the protection of customer information of the Covered Entities. We request that the definition of “Nonpublic Information” be narrowed to more clearly track other established definitions of personally identifiable information (“PII”), preferably either the US definition of PII or the EU definition of personal data.

    The DFS stated it did not revise the definition, as the Department “believes its scope is appropriate in the context of the revised proposed regulation.”
  5. Definition of Cybersecurity Event. The definition of “Cybersecurity Event” also is overly broad. This definition includes both successful and unsuccessful attempts to gain unauthorized access to systems or information. Then Section 500.11 (b) (3) requires the third party service provider to provide “prompt notice” to the Covered Entity in the “event of a Cybersecurity Event affecting the third party service provider”. Daily reconnaissance, probes, and attempts to exploit potential vulnerabilities are the norm for any company, including both Covered Entities and third party service providers. Section 500.11 (b) (3) would require third party service providers to provide, and would result in Covered Entities being inundated with, notices of attempted access to third party systems or information, the vast majority of which were stopped before access was gained or information was misused. We request that Section 500.11 (b) (3) be revised to require notice only in the event that customer information was accessed or reasonably believed to have been accessed.
    The DFS stated it did not revise the definition but did revise “several of the provisions of specific concern by requiring that certain provisions be based on the Risk Assessment and by including materiality qualifiers, such as in the Notices to Superintendent section.”

Please note all quoted references in this document where taken from the DFS Assessment of Public Comments for New Part 500 to 23 NYCRR.


There are no comments yet for this post.

We welcome your comments. Log-in to post yours (creating an account is easy, if you don't have one).

  1. Use this blog only as a means of adding thoughtful commentary directly relevant to the subject under discussion.
  2. Do not use this as a blog to criticize any individual or company.
  3. Do not use this blog to do anything that will violate copyright, anti-trust or any other laws. Click here for more information about the legal constraints.