We recently wrote about the New York Department of Financial Services (“DFS”) publication of the revised proposed cybersecurity regulation. On February 16th, the DFS released the final regulation (the “Regulation”) goes into effect on March 1st without much substantive changes from the proposed revised regulation that was published in December 2016.
The Regulation (23 NYCRR Part 500) applies to a “Covered Entity,” which is defined as “any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.” 23 NYCRR 500.01(c). As noted previously, the Regulation provides limited exemptions for a Covered Entity with “(1) fewer than 10 employees, including any independent contractors, of the Covered Entity or its Affiliates; (2) less than $5,000,00 in gross annual revenue in each of the last three fiscal years from New York operations of the Covered Entity and its Affiliates or (3) less than $10,000,000 in year-end total assets, calculated in accordance with generally accepted accounting principles, including assets of all Affiliates. Such exempt entities would be not be required to comply with the requirements of sections 500.04, 500.05, 500.06, 500.08, 500.10, 500.12, 500.14, 500.15, and 500.16, specified below. 23 NYRRR 500.19(a)(1)-(3).
Similarly exempt is a captive insurance company under Article 70 of the Insurance Law, provided that it “does not and is not required to directly or indirectly control, own, access, generate, receive or possess Nonpublic Information other than information relating to its corporate parent company (or Affiliates). Such captives are exempt from the requirements under sections 500.02, 500.03, 500.04, 500.05, 500.06, 500.07, 500.08, 500.10, 500.12, 500.14, 500.15, and 500.16 of this Part.” 23 NYCRR 19(d). Section 19 contains other limited exemptions to certain types of organizations, such as specific types of risk retention groups and reinsurers, among others, and should be reviewed to determine whether they apply.
In addition, recognizing that compliance by covered entities will require time, the Regulation (23 NYCRR 500.22) provides the following transitional periods for implementation of certain requirements:
August 28, 2017
- Cybersecurity Program (500.02)
- Cybersecurity Policy (500.03)
- CISO (500.004)
- Access Privileges (500.07)
- Cybersecurity Personnel and Intelligence (500.10)
- Incident Response Plan (500.16)
- Notices to Superintendent of Cybersecurity Event (500.17)
- Filing for Limited Exemption (500.19(d))
February 15, 2018
- Annual Certification of Compliance (500.21)
March 1, 2018
- CISO’s annual report to the governingboard (500.04(b))
- Penetration Testing and VulnerabilityAssessments (500.05)
- Risk Assessment (500.09)
- Multifactor Authentication (500.12)
- Cybersecurity awareness training for all personnel that is updated to reflect risksidentified by the Covered Entity in its Risk Assessment (500.14(b))
August 31, 2018
- Audit Trail (500.06)
- Application Security (500.08)
- Data Retention Limits (500.13)
- implement risk-based policies, procedures and controls designed to monitor the activity of Authorized Users and detect unauthorized access or use of, or tampering with, Nonpublic Information by such Authorized (500.14(a))
- Encryption of Nonpublic Information (500.15)
March 1, 2019
- Third Party Service Provider Security Policy (500.11)
Any non-exempt Covered Entity subject to the Regulation must be in compliance mode, identifying what regulations apply to them (if less than all) and what they must do to become compliant within the timeframes set by the DFS.