NYSDFS Upcoming Deadlines Fast Approaching: Next Key Date is February 15, 2018

On March 1, 2017, the New York State Department of Financial Services’ (“DFS”) first-in-nation Cybersecurity Regulations, designed to protect consumers and financial institutions from cyber-attacks, went into effect (the “Regulations”). See, 23 NYCRR Part 500. The “first-in-nation” nature of the Regulations is extremely important to note: the Regulations apply not only to what is referred to in the Regulations as a “Covered Entity” based in New York, but also those that merely do business in New York. The Regulations also do not just cover financial institutions, but any business entity that is covered by the banking law, insurance law, or financial services laws. As such, the impact of the Regulation is wide-sweeping. On August 22, 2017 we published an alert relating to the Regulations; this alert is a follow-up highlighting the next round of disclosures required under the Regulations. A brief overview of who is covered, key dates, and the areas with which compliance must be met is below.

Who is a Covered Entity:
With the exception of an “Exempted Entity” (see below), the Regulations apply to any entity or organization “operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization” pursuant to New York banking law, insurance law, or financial services laws. This may include New York-licensed lenders, mortgage banks, life insurance companies, savings and loans, charitable foundations and other financial services firms, among others. If your business transacts business in the State of New York, it is important to verify whether your business qualifies as a Covered Entity.

Who is an Exempt Entity:
Not all Covered Entities are required to comply with the Regulations in their entirety. Those with less than 10 employees or independent contractors, less than $5 million in gross annual revenue in each of the last three fiscal years, or less than $10 million in year-end total assets are exempt and do not need to comply with sections 500.04, 500.05, 500.06, 500.08, 500.10, 500.12, 500.14, 500.15 and 500.16.  These Regulations also do not apply to national banks, federal savings banks, and federally-chartered branches of non-U.S. banks (because these entities are regulated by federal law, not New York State law), but will apply to New York chartered or licensed lenders and New York branches of foreign banks. It should be noted that a parent, affiliate or subsidiary of an Exempt Entity that does not have its own basis for an exemption cannot rely on the fact that its parent, affiliate or subsidiary is an Exempt Entity. Therefore, Regulations may still indirectly impact national banks, federal savings banks, and federally-chartered branches of non-U.S. banks. Additional exemptions may also apply under section 500.19. Even exempt entities should be cognizant of the Regulations and requirements thereunder as a standard for protecting third-party information.

Key Dates:
Although the Regulations were effective March 1, 2017, there are several key dates that all Covered Entities should be aware of regarding compliance: Those dates, and the relevance of those dates, are as follows:

• Past Key Dates:
   
  • August 28, 2017: The 180 day transitional period afforded by the Regulation from its effective date ended. Unless otherwise specified, this is that date by which all Covered Entities are required to be in compliance with the Regulations, unless otherwise stated in 23 NYCRR 500.22 or if the applicable transitional period has not yet expired.  
  • September 27, 2017: 23 NYCRR 500.19(e) provided for a thirty day period for a Covered Entity to file a Notice of Exemption. By September 27, 2017, Covered Entities will need to have determined whether as of August 28, 2017 they qualified for a limited exemption under 23 NYCRR 500.19(a) - (d).  
• Next Key Date:
   
  • February 15, 2018: First certification is required to be submitted by Covered Entities pursuant to 23 NYCRR 500.17(b) on or before this date. This is a recurring annual date on which future certifications will need to be filed. A certification of compliance is not yet required for 23 NYCRR 500.04(b), 500.06, 500.08, 500.09, 500.11, 500.12, 500.13, 500.14 or 500.15 (see below).   
• Future Key Dates:
   
  • March 1, 2018: The one year transitional period afforded by the Regulation from its effective date ends. Unless otherwise specified, this is that date by which all Covered Entities are required to be in compliance with section 500.04(b), 500.05, 500.09, 500.12, and 500.14(b) of the Regulations.  
  • September 3, 2018: The eighteen month transitional period afforded by the Regulation from its effective date ends. Unless otherwise specified, this is that date by which all Covered Entities are required to be in compliance with section 500.06, 500.08, 500.13, 500.14(a), and 500.15 of the Regulations.  
  • March 1, 2019: Two year transitional period afforded by the Regulations from its effective date expires. Unless otherwise specified, this is the date by which all Covered Entities must be in compliance with section 500.11 of the Regulations.

What is Required by February 15, 2018:
On or before February 15 of each year, a Covered Entity must submit a certification of compliance (“Certification”) to the DFS. A Certification is a written statement covering the prior calendar year certifying that the Covered Entity is in compliance with the requirements provided for in the Regulations (see example below). Any records, schedules and data supporting the Certification must be maintained by the Covered Entity for a period of five years. In the event that the Certification identifies issues where improvement, updating, or redesign is necessary, then the Covered Entity must document the identification and the remedial efforts that have been planned and/or are underway to address those issues, which documentation must be made available for inspection by the Superintendent. You may download a form Certification provided by the DFS.

The requirements under the Regulations are as follows:

1. Maintenance of a Cybersecurity Program. [500.02];
2. Implementation and maintenance of approved written policy or policies setting forth the policies and procedures for the protection of Information Systems and Nonpublic Information stored on the Information Systems based on the Risk Assessment (as such term is defined in the Regulations) [500.03];
3. Designation of a Chief Information Security Officer (“CISO”) to oversee and implement the cybersecurity program and enforce the cybersecurity policy [500.04(a)];
4. Conducting of annual penetration testing of the Information Systems based off of the Risk Assessment and bi-annual vulnerability assessment. [500.05];
5. Set, and limit, access privileges to Information Systems that provide Nonpublic Information and periodically review the privilege. [500.07];
6. Utilization of cybersecurity personnel (of either the Covered Entity, an Affiliate, or Third Party) to manage cybersecurity risks and to perform and oversee the performance of core cybersecurity functions [500.10];
7. Establish a written incident response plan to respond to, and recover from, a Cybersecurity Event [500.16].

What is NOT Required by February 15, 2018:
Although as a general matter, Covered Entities had 180 days from the effective date of the Regulations (until August 28, 2017) to be in compliance, an additional transitional period is permitted from the following sections:

1. Written report from the CISO to the Covered Entity’s board of directors or equivalent governing body. [500.4(b)] - Compliance Date - March 1, 2018;
2. Audit Trail. [500.06] - Compliance Date - September 3, 2018;
3. Application Security [500.08] - Compliance Date - September 3, 2018;
4. Risk Assessment [500.09] - Compliance Date - March 1, 2018;
5. Third Party Service Provider Security Policy [500.11] - Compliance Date - March 1, 2019;
6. Multi-factor Authentication [500.12] - Compliance Date - March 1, 2018;
7. Limitations on Data Retention [500.13] - Compliance Date - September 3, 2018;
8. Training and Monitoring [500.14(b)] - Compliance Date - March 1, 2018
9. Training and Monitoring [500.14(a)] - Compliance Date - September 3, 2018;
10. Encryption of Nonpublic Information [500.15] - Compliance Date - September 3, 2018.

The foregoing is only an overview of the Regulations, which are much more robust and detailed in regards to what must be completed by a Covered Entity to be in compliance, and does not necessarily include each specific item. If you have any questions or concerns based on the above and/or would like to discuss what must be done in order to be in compliance under the Regulations, please contact us at (860) 251-5000.