In April 2017, the New York Department of Financial Services (the “DFS”) released guidance on interpreting 23 NYCRR Part 500, its recently promulgated regulation that requires banks, insurance companies and other financial services institutions regulated by the DFS to adopt broad cybersecurity programs (the “Regulation”), in the form of a frequently asked questions (“FAQ”) document and a list of key dates.
For more information on the Regulation, please see our November 2016, December 2016, January 2017 and March 2017 blog posts.
Frequently Asked Questions
The FAQ document provides answers to fourteen frequently asked questions about the Regulation. In particular, the FAQ document sheds light on the followings areas of ambiguity in the Regulation:
- DFS-authorized New York branches, agencies and representative offices of out-of-country foreign banks are required to comply with the Regulation. For such entities, only the Information Systems supporting the branch, agency or representative office, and the Nonpublic Information of the branch, agency or representative office are subject to the applicable requirements of the Regulation.
- An entity can be both a Covered Entity and a Third Party Service Provider under the Regulation. If an entity is both a Covered Entity and a Third Party Service Provider, the entity is responsible for meeting the requirements of the Regulation as a Covered Entity.
- Although Covered Entities must submit the first certification by February 15, 2018, Covered Entities are not required to certify compliance with all of the Regulation’s requirements on February 15, 2018. Each annual compliance certification (due February 15 of each year) need only assert compliance with the applicable requirements as of that date. To the extent a particular requirement of the Regulation is subject to an ongoing transitional period at the time of certification, that requirement would not be considered applicable for purposes of the annual certification.
- A Covered Entity may not submit its annual certification unless it is in compliance with all the applicable requirements of the Regulation at the time of certification. The DFS “expects full compliance” with the Regulation.
Some areas of ambiguity were not clarified in the FAQ document. For example, the DFS did not include a FAQ about whether United States banks that are not chartered in New York are covered by the Regulation.
Key Dates
The DFS also released a list of key dates under the Regulation, which is reproduced in full below:
- March 1, 2017– 23 NYCRR Part 500 becomes effective.
- August 28, 2017 – 180 day transitional period ends. Covered Entities are required to be in compliance with requirements of 23 NYCRR Part 500 unless otherwise specified.
- September 27, 2017 – Initial 30 day period for filing Notices of Exemption under 23 NYCRR 500.19(e) ends. Covered Entities that have determined that they qualify for a limited exemption under 23 NYCRR 500.19(a)-(d) as of August 28, 2017 are required to file a Notice of Exemption on or prior to this date.
- February 15, 2018 – Covered Entities are required to submit the first certification under 23 NYCRR 500.17(b) on or prior to this date.
- March 1, 2018 – One year transitional period ends. Covered Entities are required to be in compliance with the requirements of sections 500.04(b), 500.05, 500.09, 500.12 and 500.14(b) of 23 NYCRR Part 500.
- September 3, 2018 – Eighteen month transitional period ends. Covered Entities are required to be in compliance with the requirements of sections 500.06, 500.08, 500.13, 500.14(a) and 500.15 of 23 NYCRR Part 500.
- March 1, 2019 – Two year transitional period ends. Covered Entities are required to be in compliance with the requirements of 23 NYCRR 500.11.
The Regulation’s Effect on Other States’ Regulators
The Regulation may have spurred financial regulators in other states to consider imposing cybersecurity requirements on financial services firms. For example, the Colorado Department of Regulatory Agencies, Division of Securities, recently proposed new cybersecurity rules applicable to broker-dealers and investment advisers. If adopted, Rules 51-4.8 and 51-4.14(IA) would require broker-dealers and investment advisers, respectively, to (1) establish written cybersecurity procedures that meet a number of specified requirements and (2) include cybersecurity as part of their annual risk assessments.