On March 1, 2017, the New York State Department of Financial Services’ (“DFS”) first-in-nation Cybersecurity Regulations, designed to protect consumers and financial institutions from cyber-attacks, went into effect (the “Regulations”). See, 23 NYCRR Part 500. The “first-in-nation” nature of the Regulations is extremely important to note: the Regulations apply not only to what is referred to in the Regulations as a “Covered Entity” based in New York, but also to those that merely do business in New York. The Regulations also do not just cover financial institutions, but any business entity that is covered by the banking law, insurance law, or financial services laws. As such, the impact of the Regulation is wide-sweeping. On August 22, 2017 we published an alert relating to, and providing an overview, of the Regulations and on and February 6, 2018 and August 28, 2018 we published follow-ups highlighting the next round of disclosures required under the Regulations. Shipman & Goodwin LLP Data Privacy Team members Bill Roberts and Damien Privitera also conducted a CLE webinar – Compliance Checkup: NY DFS Cybersecurity Regulations – on August 7, 2018, which can be accessed here.
Now approaching two years from the effective date, this alert is a further follow-up with the upcoming February 15, 2019 and March 1, 2019 deadlines. A brief overview of who is covered, key dates, and the areas with which compliance must be met is below. Please refer to our prior publications and/or the CLE webinar for additional information as well as past deadlines and requirements.
Who is a Covered Entity:
With the exception of an “Exempted Entity” (see below), the Regulations apply to any entity or organization “operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization” pursuant to New York banking law, insurance law, or financial services laws. This may include New York-licensed lenders, mortgage banks, life insurance companies, savings and loans, charitable foundations and other financial services firms, among others. If your business transacts business in the State of New York, it is important to verify whether your business qualifies as a Covered Entity.
Who is an Exempt Entity:
Not all Covered Entities are required to comply with the Regulations in their entirety. Those with less than 10 employees or independent contractors, less than $5 million in gross annual revenue in each of the last three fiscal years, or less than $10 million in year-end total assets are exempt, and do not need to comply with sections 500.04, 500.05, 500.06, 500.08, 500.10, 500.12, 500.14, 500.15 and 500.16. These Regulations also do not apply to national banks, federal savings banks, and federally chartered branches of non-U.S. banks (because these entities are regulated by federal law, not New York State law), but will apply to New York-chartered or -licensed lenders and New York branches of foreign banks. It should be noted that a parent, affiliate or subsidiary of an Exempt Entity that does not have its own basis for an exemption cannot rely on the fact that its parent, affiliate or subsidiary is an Exempt Entity. Therefore, Regulations may still indirectly impact national banks, federal savings banks, and federally chartered branches of non-U.S. banks. Additional exemptions may also apply under section 500.19. Even exempt entities should be cognizant of the Regulations and requirements thereunder as a standard for protecting third-party information.
Approaching Key Dates:
Although the Regulations were effective March 1, 2017, there are several key dates that all Covered Entities should be aware of regarding compliance: Those dates, and the relevance of those dates, are as follows:
- February 15, 2019: Annual deadline for certification of compliance to be submitted by Covered Entities pursuant to 23 NYCRR 500.17(b). This is a recurring annual date on which future certifications will need to be filed.
- March 1, 2019: Two-year transitional period afforded by the Regulations from its effective date expires. Unless otherwise specified, this is the date by which all Covered Entities must be in compliance with Section 500.11 of the Regulations.
What is Required by February 15, 2019:
On or before February 15, 2019, a Covered Entity must file a certificate of compliance for the calendar year 2018.
- Instructions on how to file a certificate of compliance are available here.
- Exemptions filed in 2017 and 2018 have expired and a new exemption request will need to be filed in advance of the February 15, 2019 deadline.
- Because the only compliance deadlines that has not occurred is the upcoming March 1, 2019 (see below), all Covered Entities who have not obtained an exemption must be in compliance with all other provisions of the Regulations.
What is Required by March 1, 2019:
On or before March 1, 2019, a Covered Entity must comply with the following:
- Third Party Service Provider Security Policy [500.11].
- Policies and procedures based on the Covered Entity’s Risk Assessment must be developed to ensure Information Systems and Nonpublic Information that is held by Third Party Service Providers is secure. The policies shall include relevant guidelines for due diligence and/or contractual protections relating to Third Party Service Providers.
Recent guidance regarding the Regulations and next steps from Superintendent Maria T. Vullo are available here.
This is not legal advice and the foregoing is only an overview of the Regulations, which are much more robust and detailed in regards to what must be completed by a Covered Entity to be in compliance, and does not necessarily include each specific item. If you have any questions or concerns based on the above and/or would like to discuss what must be done in order to be in compliance under the Regulations, please contact us to discuss in more detail.