NYDFS Issues New Cybersecurity Reporting Guidance
On March 2, 2018, the New York Department of Financial Services (DFS) notified certain Covered Entities, as well as certain of their employees, agents and representatives who are also Covered Entities, of their failure to file a certification of compliance with the DFS's cybersecurity regulations codified at 23 N.Y.C.R.R. Part 500 (Part 500). Shortly thereafter, the DFS issued new guidance regarding the reporting obligations of Covered Entities under Part 500. Banks and other financial services firms and their subsidiaries and affiliates, particularly those that have been notified by the DFS as described above, should review the guidance closely to ensure that applicable Part 500 filing and compliance obligations are being fulfilled in a timely and satisfactory manner.
As discussed in prior Advisories (here, here, here and here), Part 500 requires Covered Entities to adopt and maintain a cybersecurity program and corresponding cybersecurity policies and procedures. Although in some ways Part 500 is similar to federal requirements and guidance on cybersecurity for banks and securities firms, it differs in certain material respects and imposes substantial reporting obligations upon Covered Entities. Several provisions of Part 500 became effective on March 1, 2017, and by February 15, 2018, Covered Entities were required to submit to the DFS their initial certifications of compliance with such provisions. Additional requirements of Part 500 related to risk assessments, penetration testing and vulnerability assessments, multi-factor authentication and risk-based cybersecurity awareness training became effective on March 1, 2018, while other provisions of Part 500, including the encryption of nonpublic information and third-party service provider compliance, will be phased into effect through March 1, 2019.
Among other things, the new guidance provides that Covered Entities that were notified by the DFS should file their certifications of compliance "as soon as possible" and that any continued failure to certify compliance with Part 500 will be viewed by the DFS as an indication of a substantive deficiency in the Covered Entity's cybersecurity program. Of particular interest, the new guidance also notes that all Covered Entities—even those that filed a notice of exemption from Part 500 pursuant to Section 500.19—must file a certification of compliance with the DFS.1
The DFS's cybersecurity reporting guidance is reproduced in full below.
Why did I receive this notice?
All regulated entities and licensed persons of the Department of Financial Services (DFS) were required to file a cybersecurity regulation Certification of Compliance under 23 NYCRR 500 by February 15, 2018. Our records indicate that to date you have not made such filings under the regulation. Please be aware that if you hold more than one license, then you need to file a separate Certification of Compliance for each license you hold.
What if I am late with my filing?
All Covered Entities that have failed to submit the Certification and that are in compliance with the regulation should do so via the DFS cybersecurity portal as soon as possible. The DFS Certification of Compliance is a critical governance pillar for the cybersecurity program of DFS regulated entities, and DFS takes compliance with the regulation seriously. The Department will consider a failure to submit a Certification of Compliance as an indicator that the cybersecurity program of the Covered Entity has a substantive deficiency.
What if I filed for an exemption from the cybersecurity regulations?
People who received the reminder are required to file the Certificate of Compliance even if you filed for an exemption under 23 NYCRR Part 500.19. These exemptions have been tailored to address particular circumstances and include requirements that the Department believes are necessary for exempted entities. Covered Entities are required to file a Certificate of Compliance to confirm that they are in compliance with those provisions of the regulation that apply to the Covered Entity.
I have a receipt showing I filed already?
Please look at the receipt. If the receipt number you received begins with an "E" then it is a receipt for filing a Notice of Exemption and not a receipt for filing the required Certificate of Compliance. Your exemption does not excuse the filing noticed below. The Certification of Compliance is to cover the period as of December 31, 2017 for all requirements of the cybersecurity regulation in force by that date. If the receipt number starts with a "C" email firstname.lastname@example.org with your name, license number and the receipt number from your cybersecurity Certificate of Compliance filing.
When will I receive a reply to my email?
DFS will reply to emails received in the above email box within 30 days.
Does this apply to me?
Section 500.01(c) defines a Covered Entity for purposes of the Regulation as "any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law." You will need to determine the applicability of the regulation to your particular circumstances.
How do a file a Certification of Compliance?
Certifications of Compliance should be filed electronically via the DFS Web Portal. Please click the big orange box on the right hand corner that says "Cybersecurity Filing." The Covered Entity will first be prompted to create an account and log in to the DFS Web Portal, then directed to the filing interface. Filings made through the DFS Web Portal are preferred to alternative filing mechanisms because the DFS Web Portal provides a secure reporting tool to facilitate compliance with the filing requirements of 23 NYCRR Part 500.
* * *
Covered Entities interested in assistance with implementing measures to comply with Part 500 are encouraged to contact any of the authors listed below or your Arnold & Porter contact. The firm's Financial Services team would be pleased to assist with any questions you may have about Part 500, the filing of certifications of compliance or notices of exemption, upcoming examinations, or cybersecurity risk management and compliance more broadly.
© Arnold & Porter Kaye Scholer LLP 2018 All Rights Reserved. This Advisory is intended to be a general summary of the law and does not constitute legal advice. You should consult with counsel to determine applicable legal requirements in a specific fact situation.
Section 500.19 provides limited exemptions from Part 500 for, among other persons and entities, certain smaller institutions with minimal contacts with New York State, entities that do not maintain or are not responsible for information systems or the handling of nonpublic information, and for employees, agents, representatives and designees of Covered Entities who are themselves Covered Entities, but are covered by the cybersecurity program of another Covered Entity.