5-16-2017 NEW "FIRST-IN-THE-NATION" REGULATION: CYBERSECURITY REQUIREMENTS FOR FINANCIAL SERVICE COMPANIES

Posted on May 15, 2017

The New York State Department of Financial Services (DFS) recently enacted regulation aimed at protecting consumers and businesses from cyber-attacks. Effective March 1, 2017, 23 NYCRR 500 mirrors the NIST Cyber-Security Framework released under the direction of the Obama administration in 2014.

Companies subject to this new regulation include non-governmental corporations, agencies, or partnerships that operate under a license, registration, charter, certificate, or similar authorization under New York Banking Law, Insurance Law, or Financial Services Law.  There are three exemptions built into the regulation for companies (1) with fewer than 10 employees, (2) less than $5,000,000 in gross annual revenue in last three years from New York operations, or (3) less than $10,000,000 in year-end total assets. However, these exemptions do not apply to the entire regulation, but instead only to certain sections and thus must be examined closely.  An exemption must also be affirmatively claimed.  Note that even if a company qualifies for a limited exemption, this new regulation will set a new standard in the industry, and so full compliance may be a wiser course to minimize liability exposure.

Some of the more onerous requirements of the regulation include the following:

  1. filing an annual compliance notice with the DFS Superintendent;
  2. yearly cyber security training for employees;
  3. third-party provider security policy;
  4. data retention; and
  5. annual system testing.

Many of the elements included in the regulation, such as having a written cyber security policy and required data encryption, may already be in use at larger financial institutions.  However, for the financial services, this will now be mandatory in New York State.  For companies that do business in multiple states, New York's new regulations may result in pushing the industry towards the NIST Cyber-Security Framework more quickly than if the framework was strictly voluntary. 

The regulation also has multiple transition periods built in. Critical dates include:

March 1st, 2017: 23 NYCRR Part 500 became effective.

August 28, 2017: 180 day transitional period ends. Covered entities must be in compliance with Part 500 unless otherwise specified in the regulation (see transitional periods below).

September 27, 2017: 30 day period for filing Notice of Exemption ends.

February 15, 2018: Covered Entities must submit first certification under 500.17(b) (written statement to superintendent covering the prior calendar year) on or prior to this date.

March 1, 2018: End of one year transitional period. Full compliance with sections 500.04(b), 500.05, 500.09, 500.12 and 500.14(b) is required.

September 3, 2018: End of Eighteen month transitional period. Full compliance with sections 500.06, 500.08, 500.13, 500.14(a), and 500.15 is required.

March 1, 2019: End of two year transitional period. Full compliance with section 500.11 (third party service provider security policy) is required.

The technical nature of the requirements is likely to encourage cybersecurity consultants to offer compliance services formulated to assist companies with the new requirements.  With the initial certification deadline just months away, it is recommended that covered entities compare their existing cyber security plans and procedures to the new section 500 and start on the process to reach compliance.

 For questions regarding the new regulation, or other cybersecurity-related legal matters, contact Greta Kolcon, Esq. or your Woods Oviatt attorney.


Greta K. Kolcon

Stephen Burke