Key Upcoming Deadlines under the New York DFS Cybersecurity Regulation

Posted by

When New York’s landmark cybersecurity regulation became effective back in March 2017, the Department of Financial Services (DFS) implemented a two-year timeline for implementation of the regulation’s requirements, with a final compliance deadline of March 1, 2019.  Entities covered by the wide-sweeping regulation should remember filing their first certificate of compliance in February of last year.  The two-year implementation period is almost over, and once again, important deadlines are now quickly approaching.  “Covered Entities” (banks, insurance companies, and other financial services institutions and licensees regulated by DFS, that are based in New York or merely do business in New York) need to be mindful of these annual deadlines or face possible penalties.

Prior to February 15, 2019, all regulated entities and licensed persons must electronically file a certificate of compliance with DFS, confirming their compliance with the Regulation for the calendar year 2018. DFS’ instructions for completing the certificate of compliance are available here. In addition, prior to February 15, 2019, covered entities that meet the requirements for exemptions in Section 500.19 must file a notice of exemption, as all prior exemptions are deemed expired.  Instructions for completing the notice are available here.  However, entities that qualify for an exemption need to consider filing both a notice of exemption and a certificate of compliance demonstrating their compliance with the sections of the regulation that continue to apply even after application of the limited exemption. 

In addition, Section 500.11 of the Regulation, relating to Third Party Service Provider Security Policy, comes into effect on March 1, 2019 as the final step in the implementation timeline.  Thus, by March 1, 2019, all Covered Entities must be in compliance with Section 500.11, and Covered Entities will have to certify their compliance with this section for the first time next year as part of the February 15, 2020 submissions. This section requires regulated entities to “implement written policies and procedures designed to ensure the security of Information Systems and Nonpublic Information that are accessible to, or held by, Third Party Service Providers.”