NYDFS Issues Guidance for Individual Filers
On March 23, 2018, the New York Department of Financial Services (DFS) issued two additional frequently asked questions and responses (FAQs) relating to its new cybersecurity regulation (Part 500). Part 500, several provisions of which became effective on March 1, 2017, has garnered widespread attention from banks, insurance companies and other financial services firms. Covered Entities were required to submit the first annual certifications of compliance to the DFS by February 15, 2018. On March 2, 2018, many Covered Entities, as well as certain of their employees, agents and representatives who are also Covered Entities, were notified of their failure to file a certification of compliance with the DFS. The two new FAQs supplement FAQs released previously to guide affected institutions.
As discussed in prior Advisories (here, here, here, here, and here), Part 500 requires Covered Entities to adopt and maintain a cybersecurity program and corresponding cybersecurity policies and procedures. Although in some ways Part 500 is similar to federal requirements and guidance on cybersecurity for banks and securities firms, it differs in certain material respects and imposes substantial reporting obligations upon Covered Entities. Several provisions of Part 500 became effective on March 1, 2017, and by February 15, 2018, Covered Entities were required to submit to the DFS their initial certifications of compliance with such provisions. Additional requirements of Part 500 related to risk assessments, penetration testing and vulnerability assessments, multi-factor authentication and risk-based cybersecurity awareness training became effective on March 1, 2018, while other provisions of Part 500, including the requirements for encryption of nonpublic information and third-party service provider compliance, will be phased into effect through March 1, 2019.
In the first new FAQ, the DFS clarifies for individual filers operating under their own individual DFS license that the DFS expects them to file the Certification of Compliance as if the individual were acting as a "Senior Officer" under Part 500. In the second new FAQ, the DFS clarifies the meaning of "Entity ID” on the DFS' cyber portal.
The two new FAQs are reproduced verbatim below.
1. If I am an individual with no Board of Directors, then who can file my Certification of Compliance?
23 NYCRR 500.01 defines Senior Officer as "the senior individual or individuals (acting collectively or as a committee) responsible for the management, operations, security, information systems, compliance and/or risk of a Covered Entity…”. A Covered Entity is defined as "any Person operating under or required to operate under a licenses, registration, charter, certificate, permit, accreditation or similar authorization under the Banking law, the Insurance law or the Financial Services Law”. Individuals filing a Certification of Compliance for their own individual license are acting as a Senior Officer, as defined in the Regulation, and should complete the process in that manner.
2. In the cyber portal, what does Entity ID mean?
Your Entity ID is your unique license or charter number issued by the State of New York. However, for Insurance companies, your Entity ID will be your NAIC number. For Mortgage Loan Originators, your Entity ID will be your NMLS number. For Insurance producers, please do not include the leading alpha characters of your License Number (e.g., BR, IA, LA, PC, TLA).
* * *
Covered Entities interested in assistance with implementing measures to comply with Part 500 are encouraged to contact any of the authors listed below or your Arnold & Porter contact. The firm's Financial Services team would be pleased to assist with any questions you may have about Part 500, the filing of certifications of compliance or notices of exemption, upcoming examinations, or cybersecurity risk management and compliance more broadly.
© Arnold & Porter Kaye Scholer LLP 2018 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.