On October 22, 2021, the New York Department of Financial Services (“NYDFS”) issued an interpretive letter that provides guidance on how entities regulated by NYDFS (“Covered Entities”) may comply with the NYDFS Cybersecurity Regulation by adopting the cybersecurity program of an affiliate (“Affiliate Program Letter”).1 According to the Affiliate Program Letter, a Covered Entity that adopts an affiliate’s cybersecurity program must provide NYDFS with information from the affiliate, even if the affiliate is not itself located in New York and is not directly regulated by NYDFS.2
The Affiliate Program Letter applies to all Covered Entities, including insurance entities, virtual currency businesses, mortgage lenders and US branches, agencies and representative offices of foreign banks. In this Legal Update, we briefly summarize the Affiliate Program Letter and the potential implications for Covered Entities and their affiliates and address the particular cross-border challenges that it raises for the US operations of foreign banks.
Four years ago, NYDFS promulgated the Cybersecurity Regulation, which establishes minimum cybersecurity standards for New York’s financial services industry.3 The regulation requires Covered Entities to establish risk-based cybersecurity programs to protect their information systems and the nonpublic information maintained on them. Recognizing that many Covered Entities are affiliated with other regulated entities (e.g., New York chartered banks within a financial holding company structure), the Cybersecurity Regulation permits a Covered Entity to adopt “the relevant and applicable provisions” of the cybersecurity program of an affiliate provided that such provisions satisfy the requirements of the Cybersecurity Regulation.4 Therefore, the Covered Entity, rather than its affiliate, remains responsible for complying with the Cybersecurity Regulation’s requirements, regardless of whether its cybersecurity program is its own or was adopted in whole or in part from an affiliate.5
As is relevant to the Affiliate Program Letter, Covered Entities are required to make available to NYDFS, upon request, all “documentation and information” relevant to their cybersecurity programs.6 According to the Affiliate Program Letter, this includes all documentation and information relevant to cybersecurity programs adopted from an affiliate. As a result, if a Covered Entity adopts the cybersecurity program of an affiliate not regulated by NYDFS, that Covered Entity must provide documentation and information evidencing that the affiliate’s cybersecurity program meets the requirements of the Cybersecurity Regulation. This can include, at a minimum, documentation on the affiliate’s adopted cybersecurity policies and procedures, its risk assessments, penetration testing and vulnerability assessment results and any third-party audits that relate to the adopted portions of the cybersecurity program of the affiliate. Affiliates that are not currently subject to supervision and examination by the NYDFS may be reluctant to share this type of sensitive information with the NYDFS. As discussed below with respect to banking entities, there could be some concerns or even legal restrictions on the ability of foreign affiliates to provide access to this type of information. To ensure that NYDFS is able to access the requisite affiliate documentation and information, the Affiliate Program Letter suggests that any agreement between a Covered Entity and its affiliate to share or otherwise adopt the same cybersecurity program expressly provide for such NYDFS access and reporting.
Challenges for Foreign Banks with New York Branches, Agencies or Representative Offices
The Affiliate Program Letter poses a challenge for foreign banks with New York branches, agencies or representative offices that is less likely to exist for US-based financial groups that are subject to comprehensive regulation in the United States. From a practical perspective, the information technology and compliance activities of many foreign banks are integrated into enterprise-wide systems and may be difficult to disaggregate and report in relation to the Cybersecurity Regulation. Additionally, many foreign banks maintain information and policies for their New York operations in compliance with local confidentiality, privacy and supervisory regulations. Consequently, the costs to foreign banks may be substantial for identifying and redacting non-New York information that they may not disclose to NYDFS and converting the remaining documents, assessments audits, and required information into a format that NYDFS can readily use to examine compliance. Further, such foreign banks may need to obtain authorization from home country regulators to disclose documentation to NYDFS that demonstrates their compliance with the Cybersecurity Regulation.
The Cybersecurity Regulation permits Covered Entities to adopt the cybersecurity programs of their affiliates, which allows entities in financial groups to efficiently share the same systems. However, the Affiliate Program Letter highlights some important questions for Covered Entities and their affiliates. For foreign banks and their New York operations, there are some particular issues to consider, including how to manage the flow of information from home country offices to NYDFS and navigate any foreign laws that may limit such sharing. Consequently, foreign banks may consider reviewing their arrangements for storing, formatting and converting data to ensure that they can share the required information in a manner that complies with New York and foreign law.