NYSDFS Upcoming Deadlines Fast Approaching: Next Key Date is September 4, 2018
Alerts
August 28, 2018
On March 1, 2017, the New York State Department of Financial Services’ (“DFS”) first-in-nation Cybersecurity Regulations, designed to protect consumers and financial institutions from cyber-attacks, went into effect (the “Regulations”). See, 23 NYCRR Part 500. The “first-in-nation” nature of the Regulations is extremely important to note: the Regulations apply not only to what is referred to in the Regulations as a “Covered Entity” based in New York, but also to those that merely do business in New York. Furthermore, the Regulations do not just cover financial institutions, but any business entity that is covered by the banking law, insurance law, or financial services laws. As such, the impact of the Regulation is wide-sweeping. On August 22, 2017 we published an alert relating to the Regulations and on and February 6, 2018 we published a follow-up alert highlighting the next round of disclosures required under the Regulations. This alert further highlights the upcoming September 4, 2018 deadline. Shipman & Goodwin LLP Data Privacy Team also conducted a CLE webinar entitled "Compliance Checkup: NY DFS Cybersecurity Regulations" on August 7, 2018.
A brief overview of who is covered, key dates, and the areas in which compliance must be met is below.
Who is a Covered Entity:
With the exception of an “Exempted Entity” (see below), the Regulations apply to any entity or organization “operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization” pursuant to New York banking law, insurance law, or financial services laws. This may include New York-licensed lenders, mortgage banks, life insurance companies, savings and loans, charitable foundations and other financial services firms, among others. If your business transacts business in the State of New York, it is important to verify whether your business qualifies as a Covered Entity.
Who is an Exempt Entity:
Not all Covered Entities are required to comply with the Regulations in their entirety. Those with less than 10 employees or independent contractors, less than $5 million in gross annual revenue in each of the last three fiscal years, or less than $10 million in year-end total assets are exempt, and do not need to comply with sections 500.04, 500.05, 500.06, 500.08, 500.10, 500.12, 500.14, 500.15 and 500.16. These Regulations also do not apply to national banks, federal savings banks, and federally chartered branches of non-U.S. banks (because these entities are regulated by federal law, not New York State law), but will apply to New York-chartered or licensed lenders and New York branches of foreign banks. It should be noted that a parent, affiliate or subsidiary of an Exempt Entity that does not have its own basis for an exemption cannot rely on the fact that its parent, affiliate or subsidiary is an Exempt Entity. Therefore, Regulations may still indirectly impact national banks, federal savings banks, and federally chartered branches of non-U.S. banks. Additional exemptions may also apply under section 500.19. Even exempt entities should be cognizant of the Regulations and requirements thereunder as a standard for protecting third-party information.
Key Dates:
Although the Regulations were effective March 1, 2017, there are several key dates that all Covered Entities should be aware of regarding compliance: Those dates, and the relevance of those dates, are as follows:
- Past Key Dates:
- August 28, 2017: The 180-day transitional period afforded by the Regulation from its effective date ended.
- September 27, 2017: The 30-day period for Covered Entities to file a Notice of Exemption under 23 NYCRR 500.19(a) - (d) expired.
- February 15, 2018: First certification of compliance was required to be submitted by Covered Entities pursuant to 23 NYCRR 500.17(b) on or before this date. This is a recurring annual date on which future certifications will need to be filed.
- March 1, 2018: The one-year transitional period afforded by the Regulation from its effective date ended. Unless otherwise specified, this is the date by which all Covered Entities were required to be in compliance with section 500.04(b), 500.05, 500.09, 500.12, and 500.14(b) of the Regulations.
- APPROACHING KEY DATE:
- September 4, 2018: The eighteen-month transitional period afforded by the Regulation from its effective date ends. Unless otherwise specified, this is the date by which all Covered Entities are required to be in compliance with section 500.06, 500.08, 500.13, 500.14(a), and 500.15 of the Regulations.
- Future Key Dates:
- February 15, 2019: Annual deadline for certification of compliance.
- March 1, 2019: Two-year transitional period afforded by the Regulations from its effective date expires. Unless otherwise specified, this is the date by which all Covered Entities must be in compliance with Section 500.11 of the Regulations.
What is Required by September 4, 2018:
On or before September 4, 2018, a Covered Entity must comply with the following:
- Audit Trail. [500.06];
- Systems should be in place that (i) reconstruct financial transactions sufficient to support normal operations and obligations; and (ii) include audit trails to detect and respond to Cybersecurity Events [as defined in Section 500.01(d) that have a reasonable likelihood of harming any material part of normal operations.
- Application Security [500.08];
- In-House Developed Applications
- Written procedures, guidelines and standards must be in place intended to ensure the use of secure development practices;
- Externally Developed Applications
- Written procedures for evaluating, assessing or testing the security of externally developed applications must be in place;
- In-House Developed Applications
- Limitations on Data Retention [500.13];
- Policies and procedures must be put in place by each Covered Entity for the secure disposal of Nonpublic Information [as defined in Section 500.01(g)(2)-(3)] that is no longer necessary for business operations or other legitimate business purpose, unless an exception applies.
- Training and Monitoring [500.14(a)];
- Risk-based policies, procedures and controls must be implemented to monitor the activity of Authorized Users [as defined in Section 500.01(b)] and detect unauthorized access, use of, or access to Nonpublic Information [as defined in Section 500.01(g)] by Authorized Users.
- Encryption of Nonpublic Information [500.15];
- Controls must be in place to protect Nonpublic Information held or transmitted by the Covered Entity.
What is NOT Required by September 4, 2018:
Although as a general matter, Covered Entities had 180 days from the effective date of the Regulations (until August 28, 2017) to be in compliance, an additional transitional period is permitted for specific provisions. Some of the prior dates were discussed above and/or in our prior alerts. The final requirement for which the deadline has not yet occurred is (except for any recurring reporting deadlines):
- Third Party Service Provider Security Policy [500.11] - Compliance Date - March 1, 2019
Disclaimer:
This is not legal advice and the foregoing is only an overview of the Regulations, which are much more robust and detailed in regards to what must be completed by a Covered Entity to be in compliance, and does not necessarily include each specific item. If you have any questions or concerns based on the above and/or would like to discuss what must be done in order to be in compliance under the Regulations, please contact us to discuss in more detail.