On October 22, 2021, the New York Department of Financial Services (“NYDFS”) issued an interpretive letter that provides guidance on how entities regulated by NYDFS (“Covered Entities”) may comply with the NYDFS Cybersecurity Regulation by adopting the cybersecurity program of an affiliate (“Affiliate Program Letter”).1 According to the Affiliate Program Letter, a Covered Entity that adopts an affiliate’s cybersecurity program must provide NYDFS with information from the affiliate, even if the affiliate is not itself located in New York and is not directly regulated by NYDFS.2
The Affiliate Program Letter applies to all Covered Entities, including insurance entities, virtual currency businesses, mortgage lenders and US branches, agencies and representative offices of foreign banks. In this Legal Update, we briefly summarize the Affiliate Program Letter and the potential implications for Covered Entities and their affiliates and address the particular cross-border challenges that it raises for the US operations of foreign banks.
Four years ago, NYDFS promulgated the Cybersecurity Regulation, which establishes minimum cybersecurity standards for New York’s financial services industry.3 The regulation requires Covered Entities to establish risk-based cybersecurity programs to protect their information systems and the nonpublic information maintained on them. Recognizing that many Covered Entities are affiliated with other regulated entities (e.g., New York chartered banks within a financial holding company structure), the Cybersecurity Regulation permits a Covered Entity to adopt “the relevant and applicable provisions” of the cybersecurity program of an affiliate provided that such provisions satisfy the requirements of the Cybersecurity Regulation.4 Therefore, the Covered Entity, rather than its affiliate, remains responsible for complying with the Cybersecurity Regulation’s requirements, regardless of whether its cybersecurity program is its own or was adopted in whole or in part from an affiliate.5
As is relevant to the Affiliate Program Letter, Covered Entities are required to make available to NYDFS, upon request, all “documentation and information” relevant to their cybersecurity programs.6 According to the Affiliate Program Letter, this includes all documentation and information relevant to cybersecurity programs adopted from an affiliate. As a result, if a Covered Entity adopts the cybersecurity program of an affiliate not regulated by NYDFS, that Covered Entity must provide documentation and information evidencing that the affiliate’s cybersecurity program meets the requirements of the Cybersecurity Regulation. This can include, at a minimum, documentation on the affiliate’s adopted cybersecurity policies and procedures, its risk assessments, penetration testing and vulnerability assessment results and any third-party audits that relate to the adopted portions of the cybersecurity program of the affiliate. Affiliates that are not currently subject to supervision and examination by the NYDFS may be reluctant to share this type of sensitive information with the NYDFS. As discussed below with respect to banking entities, there could be some concerns or even legal restrictions on the ability of foreign affiliates to provide access to this type of information. To ensure that NYDFS is able to access the requisite affiliate documentation and information, the Affiliate Program Letter suggests that any agreement between a Covered Entity and its affiliate to share or otherwise adopt the same cybersecurity program expressly provide for such NYDFS access and reporting.
Challenges for Foreign Banks with New York Branches, Agencies or Representative Offices
The Affiliate Program Letter poses a challenge for foreign banks with New York branches, agencies or representative offices that is less likely to exist for US-based financial groups that are subject to comprehensive regulation in the United States. From a practical perspective, the information technology and compliance activities of many foreign banks are integrated into enterprise-wide systems and may be difficult to disaggregate and report in relation to the Cybersecurity Regulation. Additionally, many foreign banks maintain information and policies for their New York operations in compliance with local confidentiality, privacy and supervisory regulations. Consequently, the costs to foreign banks may be substantial for identifying and redacting non-New York information that they may not disclose to NYDFS and converting the remaining documents, assessments audits, and required information into a format that NYDFS can readily use to examine compliance. Further, such foreign banks may need to obtain authorization from home country regulators to disclose documentation to NYDFS that demonstrates their compliance with the Cybersecurity Regulation.
The Cybersecurity Regulation permits Covered Entities to adopt the cybersecurity programs of their affiliates, which allows entities in financial groups to efficiently share the same systems. However, the Affiliate Program Letter highlights some important questions for Covered Entities and their affiliates. For foreign banks and their New York operations, there are some particular issues to consider, including how to manage the flow of information from home country offices to NYDFS and navigate any foreign laws that may limit such sharing. Consequently, foreign banks may consider reviewing their arrangements for storing, formatting and converting data to ensure that they can share the required information in a manner that complies with New York and foreign law.
1 NYDFS, Indus. Ltr. Re: Adoption of an Affiliate’s Cybersecurity Program (Oct. 22, 2021), https://www.dfs.ny.gov/industry_guidance/industry_letters/il20211022_affiliates_cybersecurity_program. A Covered Entity, for purposes of the Cybersecurity Regulation, is defined as “any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.” 23 NYCRR § 500.1(c).
2 An affiliate, for purposes of the Cybersecurity Regulation, is defined broadly as “any person that controls, is controlled by or is under common control with another person.” 23 NYCRR § 500.1(a). “Control” is defined as “the possession, direct or indirect, of the power to direct or cause the direction of the management and policies of a person, whether through the ownership of stock of such person or otherwise.” Id.
3 See our Legal Update on the Cybersecurity Regulation, https://www.mayerbrown.com/en/perspectives-events/publications/2017/03/cybersecurity-ny-adopts-final-regulations-for-bank.
5 See, e.g., NYDFS, Cybersecurity FAQs #6 (“A Covered Entity will ultimately be held responsible for protecting its Information Systems and Nonpublic Information that are shared with a BHC [Bank Holding Company] or that otherwise may be subjected to risk by a BHC.”).