The New York State Department of Financial Services (NYDFS) has issued revised proposed Cybersecurity Requirements for Financial Services companies that are Covered Entities. The regulation, which insideARM originally reported about in September 2016, will be effective March 1, 2017.
DFS announced last week that it carefully considered all comments submitted regarding the proposed regulation during the 45-day comment period which ended on November 14, 2016. The latest draft incorporates suggestions that were deemed appropriate, and is now subject to a final 30-day comment period, which will end on January 27, 2017.
You can see the rules here.
Per the announcement from the Department,
It is critical for all regulated institutions that have not yet done so to move swiftly and urgently to adopt a cybersecurity program and for all regulated entities to be subject to minimum standards with respect to their programs. The number of cyber events has been steadily increasing and estimates of potential risk to our financial services industry are stark. Adoption of the program outlined in these regulations is a priority for New York State.
The wide-ranging requirements are detailed specifically in the published rules. Of note are certain exemptions, effective dates, and transition period:
Section 500.19 Exemptions.
(a) Limited Exemption. Each Covered Entity with:
- fewer than 10 employees including any independent contractors, or
- less than $5,000,000 in gross annual revenue in each of the last three fiscal years, or
- less than $10,000,000 in year-end total assets, calculated in accordance with generally accepted accounting principles, including assets of all Affiliates,
…shall be exempt from the requirements of Sections 500.04, 500.05, 500.06, 500.08, 500.10, 500.12, 500.14, 500.15, and 500.16 of this Part.
(b) An employee, agent, representative or designee of a Covered Entity, who is itself a Covered Entity, is exempt from this Part and need not develop its own cybersecurity program to the extent that the employee, agent, representative or designee is covered by the cybersecurity program of the Covered Entity.
(c) A Covered Entity that does not directly or indirectly operate, maintain, utilize or control any Information Systems, and that does not, and is not required to, directly or indirectly control, own, access, generate, receive or possess Nonpublic Information shall be exempt from the requirements of Sections 500.02, 500.03, 500.04, 500.05, 500.06, 500.07, 500.08, 500.10, 500.12, 500.14, 500.15, and 500.16 of this Part.
(d) A Covered Entity that qualifies for an exemption pursuant to this section shall file a Notice of Exemption in such form set forth as Appendix B. (emphasis added)
(e) In the event that a Covered Entity, as of its most recent fiscal year end, ceases to qualify for an exemption, such Covered Entity shall have 180 days from such fiscal year end to comply with all applicable requirements of this Part.
This Part will be effective March 1, 2017. Covered Entities will be required to annually prepare and submit to the superintendent a Certification of Compliance with New York State Department of Financial Services Cybersecurity Regulations under section 500.17(b) commencing February 15, 2018.
Section 500.22 Transitional Periods.
(a) Transitional Period. Covered Entities shall have 180 days from the effective date of this Part to comply with the requirements set forth in this Part, except as otherwise specified.
(b) The following provisions shall include additional transitional periods. Covered Entities shall have:
(1) One year from the effective date of this Part to comply with the requirements of sections 500.04(b), 500.05, 500.09, 500.12, and 500.14(a)(2) of this Part.
(2) Eighteen months from the effective date of this Part to comply with the requirements of sections 500.06, 500.08, 500.13, 500.14 (a)(1) and 500.15 of this Part.
(3) Two years from the effective date of this Part to comply with the requirements of section 500.11 of this Part.
Cybersecurity is clearly going to be an area that gets increasing attention in 2017, in one way or another, for firms of any size. Note that Sections 500.9 and 500.11 are not included in the exemption above. This means that all Covered Entities are responsible to conduct a periodic Risk Assessment, and to have a Third Party Service Provider Security Policy.
Collection agencies that do work for the Federal Government are already subject to rigorous requirements. These requirements are for those doing business in New York. No doubt other states will follow.