This is the fourth in a series of blog posts analyzing certain major proposed changes in the New York Department of Financial Services (“NYDFS”) Cybersecurity Regulation. Our prior posts can be found here, here and here.
Previously under the NYDFS’ Cybersecurity Regulation, the Chief Information Security Officer (“CISO”) together with senior officer(s) were responsible for administering and enforcing a company’s cybersecurity program. However, new language in the Cybersecurity Regulation threatens to change this dynamic by placing part of this responsibility on the “senior governing body” of a company. What’s the impact? Here’s what executives need to know.
More Board expertise required.
500.1(p) Senior governing body means the covered entity’s board of directors (or an appropriate committee thereof) or equivalent governing body or, if neither of those exist, the senior officer of the covered entity responsible for the covered entity’s cybersecurity program.
500.4(d) If the covered entity has a board of directors or equivalent, the board or an appropriate committee thereof shall: (1) exercise oversight of, and provide direction to management on, the covered entity’s cybersecurity risk management; (2) require the covered entity’s executive management or its delegates to develop, implement and maintain the covered entity’s cybersecurity program; and (3) have sufficient expertise and knowledge, or be advised by persons with sufficient expertise and knowledge, to exercise effective oversight of cybersecurity risk management.
To summarize, the Board of Directors will now be responsible for “requiring” the covered entity’s “executive management” to develop, implement and maintain a compliant cybersecurity program. It is unclear if executive management is different than “senior officer(s).” Based on the requirement for the CISO to have appropriate “authority” (as discussed in our post here), the CISO would be part of “executive management.” The Board must therefore have cybersecurity expertise and be well-versed enough in cybersecurity to provide appropriate oversight and approval of the detailed control environment applicable to the cybersecurity program. Additionally, in Section 500.3, NYDFS is proposing that the Board be the corporate body that approves the cybersecurity program policies and procedures. State corporate laws governing boards generally do not require its directors to have certain qualities or experience, so covered entities may need to look to non-cyber regulatory requirements that reach Board activities for models.
Additional risks for individual board members.
These new Board requirements may require changes to the covered entity’s bylaws. The Board is typically responsible for managing the officers of a corporation while the officers manage the corporate activities themselves. The requirement for the Board to approve specific policies and procedures disrupts this structure and leads to additional risks for the Board and to covered entities – including a heightened risk of shareholder derivative actions. For example, we can easily foresee situations where company directors appointed by holding companies or private equity firms lack the necessary cybersecurity expertise to discharge responsibilities under the revised Regulation.
Corporate counsel responsible for the Board of Directors will need to be involved in, and understand, the process and information included in approval of policies and procedures covered by the cybersecurity program. The lawyers responsible for each of these areas are traditionally separate.
If you have questions about how the revised NYDFS Regulation impacts your Board, or about other privacy and data security issues, contact Rick Borden at (212) 705-4884 or firstname.lastname@example.org, Daniel Goldberg at (310) 579-9616 or email@example.com, Saphya Council at (212) 826-5575 or firstname.lastname@example.org, or any other member of the Frankfurt Kurnit Privacy & Data Security Group.