In February 2017, the New York State Department of Financial Services (“DFS”) finalized a new set of cybersecurity regulations that governs New York’s banking, insurance, and financial services industries. Entities in those industries are required to develop and implement cybersecurity programs tailored to their individual risk levels. See Cybersecurity Requirements for Financial Services Companies, 23 N.Y.C.R.R.§ 500.02.
On their face, the requirements apply only to “Covered Entities,” which the regulations define as those “operating or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization” under New York’s Banking Law, Insurance Law, or Financial Services Law. See § 500.01(c). Because the regulations limit Covered Entities to those required to register (or be licensed) with the State, many federally chartered financial institutions may have concluded that the regulations do not apply to them. This is because, as entities “organized under federal law or the laws of a state other than New York,” they are exempt from the Banking Law’s registration requirement. See N.Y. Banking Law § 590(1)(e).
But that may not be the case. Critically, Banking Law § 590 exempts entities organized under federal law or the laws of another state only from the Banking Law’s registration requirement, not from other regulations issued by the State of New York. Any such “exempt organization” that does not register with the state must still “notif[y] the superintendent that it is acting as [for example] a mortgage servicer in this state and compl[y] with any regulation applicable to mortgage loan servicers.” N.Y. Banking Law § 590(2)(b-1). In this regard, such “exempt mortgage servicers” are listed as “exempt” on the DFS “Who We Supervise” webpage. Many such organizations have thus seen the word “exempt” next to their names and ended their inquiry there. That, however, is only the beginning of the analysis.
Because DFS’s new cybersecurity regulations expressly apply to non-exempt mortgage loan servicers licensed pursuant to the Banking Law, those regulations should also apply more broadly to all mortgage loan servicers operating in New York (under § 590(2)(b-1)), even if they are exempt entities not required to register. Exempt entities may not have been the intended target of the regulations, but the possibility that federal and out-of-state banks, credit unions, and trust companies could nonetheless be subject to New York’s cybersecurity regulations via Banking Law § 590 has sown significant confusion in the industry.
This is a prime example of regulatory creep in relation to cybersecurity: a set of administrative rules giving rise to unintended consequences, because of their broad industry reach. DFS may (or may not) have intended to include exempt entities under the umbrella of the new regulations, but any definitive answer on the subject will have to come out of guidance from DFS, amendment of the regulations, enforcement, or legal challenges to the regulations. It is unclear whether federal preemption forbids DFS from regulating federally chartered financial institutions in this regard, but it is certain that few such institutions would like to be the test case on the subject.