Among the requirements placed on New York chartered- or licensed-financial institutions is that, pursuant to Section 500.17 (“Notices to the Superintendent”), each such entity must notify the Superintendent as promptly as possible but in no event later than 72 hours following a cybersecurity event.1 This is a difficult standard to meet within a tight timetable under the best of circumstances; however, in many events the cybersecurity incident will occur not in the financial institution but within a third party service provider (a “TPSP”).2
Section 500.11 requires each covered entity to have a TPSP security policy.3 Generally speaking, covered entities include New York chartered banks (such as Goldman Sachs Bank and The Bank of New York), and licensed branches and agencies of foreign banks (such as the New York branches of Deutsche Bank and BNP Paribas) (collectively, “Covered Entities”). As part of this policy, every Covered Entity must have written policies and procedures (based on the risk profile of the entity) that include relevant guidelines for due diligence and/or contractual protections addressing notice to be provided to the entity fol-lowing a cybersecurity event “directly impacting … [the entity’s] Nonpublic information being held by the [TPSP].” This requirement seems to directly link to the requirement of such entity to provide the 72 hour notification.
Please click here to read the full client alert.