DFS' Cybersecurity Regulation and the Compliance Deadline.

• Author: Gabay, Sari
• Position: [LEGAL UPDATE]

The Department of Financial Services' ("DFS") cybersecurity regulation, 23 NYCRR 500 (referred to in this article as the "Cyber Regulation"), became effective on March 1, 2017 with a two-year implementation deadline approaching on March I, 2019. In a nutshell, the Cyber Regulation is designed to protect consumer data and to defend against security attacks. To that end, all DFS regulated entities (unless a limited exemption applies), are required to adopt and implement a cybersecurity program. In broad strokes, the program must include a cybersecurity policy, effective access privileges, cybersecurity risk assessments and training and monitoring for all authorized users. This is particularly relevant now as the second annual certification of compliance is due February 15, 2019, by which time all regulated entities and licensed persons must file a Certificate of Compliance, confirming compliance with DFS' Cyber Regulation for 2018.

Do Not "Do Nothing" and Rely on a Previous Exemption Filing

Even in the case of an exemption for employees, agents, or representative of a regulated entity (500.1 9(b)), the individual must still file a Notice of Exemption and identify the regulated entity's program that is being followed, the name and address of the entity that supports the cybersecurity program, and the name of the representative who can confirm the program.

A regulated entity or person that was previously exempt, should make sure it still falls under one of the applicable limited exemptions (500.19(a)). Is the regulated entity one with (1) less than 10 employees (including independent contractors), or (2) less than $5,000,000 in gross annual revenue in each of the last three fiscal years from New York business, or (3) less than $10,000,000 in year-end total assets? Even if one of these limited exemptions applies, the regulated entity must still maintain a cybersecurity program that meets some but not all the regulatory requirements, including filing an annual Certification of Compliance. Also, licensees who may not be actively using their licenses may be partially exempt provided they are not maintaining nonpublic information concerning former or potential consumers or otherwise maintaining information or systems covered by the Cyber Regulation. Such licensees must comply with certain provisions such as conducting a Risk Assessment in accordance with the Cyber Regulation and submit an annual Certification of...