On March 1, 2018, the New York Department of Financial Services (NYDFS) “cybersecurity regulations” (23 NYCRR Part 500) took effect, placing a number of cybersecurity requirements on banks, insurance companies, and other financial services institutions and licensees regulated by the NYDFS (“Covered Entities”).

To aid in compliance with the regulation, the NYDFS recently added new guidance regarding Covered Entitles to its Frequently Asked Questions. The FAQs were last updated in December 2017, and the revisions include four new questions, which are summarized below:

  1. Are Exempt Mortgage Servicers Covered Entities under 23 NYCRR 500?

An Exempt Mortgage Servicer “will not fit the definition of a Covered Entity…” However, the NYDFS “strongly encourages all financial institutions, including exempt Mortgage Servicers, to adopt cybersecurity protections consistent with the safeguards and protections of 23 NYCRR Part 500.”

  1. Are Not-for-profit Mortgage Brokers Covered Entities under 23 NYCRR 500?

Yes. Not-for-profit Mortgage Brokers are Covered Entities under 23 NYCRR 500.

  1. Do Covered Entities have any obligations when acquiring or merging with a new company?

 NYDFS provides the following guidance regarding mergers and acquisitions: “When Covered Entities are acquiring or merging with a new company, Covered Entities will need to do a factual analysis of how [various regulatory requirements] apply to a particular acquisition. Some important considerations include, but are not limited to, the type of business of the target company, the target company’s risk for cybersecurity including its availability of personally identifiable information, the safety and soundness of the Covered Entity, and the integration of data systems.” NYDFS also emphasizes the need to have a serious due diligence process with cybersecurity being a serious priority throughout the acquisition process.

  1. Are Health Maintenance Organizations (HMOs) and continuing care retirement communities (CCRCs) Covered Entities?

Yes. Both HMOs and CCRCs are Covered Entities. As detailed in new FAQ 4, HMOs and CCRCs are Covered Entities subject to DFS authority by virtue of New York’s Public Health and Insurance laws.

The NYDFS Cybersecurity FAQs are available here.