New York State Cybersecurity Regulations Regarding Cyber and Data Privacy Obligations Applicable to Banking, Insurance and Financial Services
REMINDER: The New York State Department of Financial Services Cybersecurity Requirements Regarding Cybersecurity and Data Privacy Obligations Applicable to Banking, Insurance and Financial Services Businesses Licensed and/or Registered with the State of New York Became Effective March 1, 2017.
Who: Covered Entities, subject to limited exceptions, includes any “Person” operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.1
If you claim that you are exempt from the Regulations, you must file with the New York State Department of Financial Services (DFS) a Notice of Exemption within 30 days of determination of your exempt status.2
When: Covered Entities have 180 days to comply with the first aspects of the new Regulations (with rolling compliance obligations thereafter). Accordingly, if you are a Covered Entity, you must be in compliance with the first phase of the Regulations by August 28, 2017. The first annual Certificate of Compliance must be filed with DFS commencing as of and after February 15, 2018.
- If you are a Covered Entity and you have not yet begun the process of undertaking your initial Risk Assessment, we urge you to begin this effort immediately.
- If you are Covered Entity, and you are already undertaking your own assessment, we remind you that part of this process must include an assessment of your vendors and their cybersecurity practices.
Remember: Following the Risk Assessment and Penetration Testing, efforts must be then undertaken to evaluate and prioritize identified risks, and then begin the process of remediation and/or mitigation as appropriate.
Personnel need to be trained, and policies need to be prepared and implemented.
All of these efforts must be duly documented and reported, as prescribed by the new Regulations.
Repeat: Compliance is not “one and done.” The mandates of the Regulations require regular assessments, testing, training and reporting.
How: We encourage you to contact us to help you understand, coordinate and execute on these new mandates.
1 In the final, approved version of the Regulations, the exemptions to the definition of what is a Covered Entity were revised to include (new language noted in bold italics):
(1) fewer than 10 employees, including any independent contractors, of the Covered Entity or its Affiliates located in New York or responsible for business of the Covered Entity, or
(2) less than $5,000,000 in gross annual revenue in each of the last three fiscal years from New York business operations of the Covered Entity and its Affiliates…
Also note the following additional exemptions relating to the insurance industry: from certain sections of the Regulations:
(d) A Covered Entity under Article 70 of the Insurance Law that does not and is not required to directly or indirectly control, own, access, generate, receive or possess Nonpublic Information other than information relating to its corporate parent company (or Affiliates) shall be exempt from the requirements of sections 500.02, 500.03, 500.04, 500.05, 500.06, 500.07, 500.08, 500.10, 500.12, 500.14, 500.15, and 500.16 of this Part…
(f) The following Persons are exempt from the requirements of this Part, provided such Persons do not otherwise qualify as a Covered Entity for purposes of this Part: Persons subject to Insurance Law section 1110; Persons subject to Insurance Law section 5904; and any accredited reinsurer or certified reinsurer that has been accredited or certified pursuant to 11 NYCRR 125.
2 And companies are advised to review a claimed exemption periodically; as your business grows, a claimed exemption from a prior filing may be lost, in which case your company will then need to come into compliance with the Regulations within the next 180 days.