My latest post on the blog for the NYU Program on Corporate Compliance and Enforcement deals with enforcement aspects of the recent amendments to the NYDFS Cybersecurity Regulation, Part 500.
These recent amendments to the Cybersecurity Regulation (Part 500) of the New York State Department of Financial Services (NYDFS) are quite expansive in scope.[1] Chief Compliance Officers and litigation counsel for regulated entities are no doubt questioning what the contours of future enforcement will look like under the regulation. That is because the revised regulation has enlarged the opportunity for enforcement in a number of areas.
First, more enforcement is likely simply because the regulation, as amended, has become more prescriptive. With regulated entities now subject to more requirements, there is more opportunity for supervisory criticism during examinations, supervisory action arising from such evaluation and, ultimately, enforcement.
Second, additional enforcement is likely due to revisions made to the certification provision, § 500.17. For example, in the event that an entity is unable to certify “material compliance” with the regulation for a calendar year, the entity instead must (a) “acknowledge its lack of material compliance,” (b) “identif[y] all sections of this Part [500] that the entity has not materially complied with and describe[] the nature and extent of such noncompliance”; and (c) “provide[] a remediation timeline or confirmation that remediation has been completed.”
In essence, this provision requires a regulated entity to provide a roadmap of weaknesses in its cybersecurity program, along with a remediation timeline. While this obligation is intended to achieve important compliance improvements in an entity’s cybersecurity program and is a common prudential tool, it also creates an easy-to-follow enforcement map for DFS if events take an unfortunate turn.
A third reason to be concerned about increased enforcement is linked to the new “extortion payment” notification provision. In addition to requiring notice to DFS within 24 hours of any such payment, the regulation now requires the entity to provide a written description within 30 days of (a) the reasons payment was necessary, (b) alternatives to payment considered, (c) all diligence performed to find alternatives to payment, and (d) all diligence performed to ensure compliance with applicable rules and regulations including those of the Office of Foreign Assets Control. Again, while the information sought is important to allow DFS to conduct surveillance among its regulated entities, it is also very likely the product of intense deliberations among lawyers and advisors, and it will be a challenge to provide meaningful information to DFS while preserving the attorney-client and other privileges.
Finally, a fourth reason to keep a lookout for potentially ramped up DFS enforcement concerns application of the amended enforcement provision, § 500.20. Previously, the provision stated, in sum and substance, merely that DFS retained all existing enforcement powers under the regulation. The revision is dramatically altered, providing that
commission of a single act prohibited by this Part or the failure to act to satisfy an obligation required by this Part shall constitute a violation hereof. Such acts or failures include, without limitation: (1) the failure to secure or prevent unauthorized access to an individual’s or an entity’s nonpublic information due to noncompliance with any section of this Part; or (2) the material failure to comply for any 24-hour period with any section of this Part.
The immediate impact of this change is twofold. First, it intends to penalize as a standalone violation any unauthorized disclosure of Non-Public Information somehow arising out of any deficiency under an entity’s cybersecurity program. Second, it seeks to fashion multiple violations out of what would otherwise be considered a single course of conduct. While there is some question about whether DFS possesses the authority to structure the revised enforcement provision in this manner,[2] regulated entities nonetheless would be wise to treat this provision, at a minimum, as important enforcement guidance.
Footnotes
[1] 23 N.Y.C.R.R. § 500 et seq. Unlike its first iteration, which was issued solely pursuant to the Financial Services Law, this amendment now takes its authority from the Banking Law, Insurance Law, and Financial Services Law. See id.
[2] See, e.g., Am. Transit Ins. Co. v. Corcoran, 76 N.Y.2d 977, 980 (1990) (“Pyramiding of penalties, i.e., treating continuing violations as separate daily transgressions, has been upheld only where cumulative penalties are expressly authorized by statute.”) (citation omitted).