On October 22, 2021, the New York Department of Financial Services (“NYDFS”) issued an interpretive letter that provides guidance on how entities regulated by NYDFS (“Covered Entities”) may comply with the NYDFS Cybersecurity Regulation by adopting the cybersecurity program of an affiliate (“Affiliate Program Letter”).1 According to the Affiliate Program Letter, a Covered Entity that adopts an affiliate’s cybersecurity program must provide NYDFS with information from the affiliate, even if the affiliate is not itself located in New York and is not directly regulated by NYDFS.2

The Affiliate Program Letter applies to all Covered Entities, including insurance entities, virtual currency businesses, mortgage lenders and US branches, agencies and representative offices of foreign banks. In this Legal Update, we briefly summarize the Affiliate Program Letter and the potential implications for Covered Entities and their affiliates and address the particular cross-border challenges that it raises for the US operations of foreign banks.

Continue reading.