DFS’ Cybersecurity Regulation and the Compliance Deadline
The Department of Financial Services’ (“DFS”) cybersecurity regulation, 23 NYCRR 500 (referred to in this article as the “Cyber Regulation”), became effective on March 1, 2017 with a two-year implementation deadline approaching on March 1, 2019. In a nutshell, the Cyber Regulation is designed to protect consumer data and to defend against security attacks. To that end, all DFS regulated entities (unless a limited exemption applies), are required to adopt and implement a cybersecurity program. In broad strokes, the program must include a cybersecurity policy, effective access privileges, cybersecurity risk assessments and training and monitoring for all authorized users. This is particularly relevant now as the second annual certification of compliance is due February 15, 2019, by which time all regulated entities and licensed persons must file a Certificate of Compliance, confirming compliance with DFS’ Cyber Regulation for 2018.
Do Not “Do Nothing” and Rely on a Previous Exemption Filing
Even in the case of an exemption for employees, agents, or representative of a regulated entity (500.19(b)), the individual must still file a Notice of Exemption and identify the regulated entity’s program that is being followed, the name and address of the entity that supports the cybersecurity program, and the name of the representative who can confirm the program.
A regulated entity or person that was previously exempt, should make sure it still falls under one of the applicable limited exemptions (500.19(a)). Is the regulated entity one with (1) less than 10 employees (including independent contractors), or (2) less than $5,000,000 in gross annual revenue in each of the last three fiscal years from New York business, or (3) less than $10,000,000 in year-end total assets? Even if one of these limited exemptions applies, the regulated entity must still maintain a cybersecurity program that meets some but not all the regulatory requirements, including filing an annual Certification of Compliance. Also, licensees who may not be actively using their licenses may be partially exempt provided they are not maintaining nonpublic information concerning former or potential consumers or otherwise maintaining information or systems covered by the Cyber Regulation. Such licensees must comply with certain provisions such as conducting a Risk Assessment in accordance with the Cyber Regulation and submit an annual Certification of Compliance. Thus, while one may have filed a Notice of Exemption initially, it may be necessary to amend or terminate such exemption if the exempt status has changed. The assessment of exemption status is an annual requirement so do not simply rely on a prior calendar year’s filing and if exempt, a Notice of Exemption must be filed each calendar year.
All filings required by the Cyber Regulation must be done electronically on the DFS’ cybersecurity portal. It is recommended that once completed, check for an email that includes a receipt number and maintain this record as proof of filing.
Importantly, regulated persons and entities should be sure to not only have a policy in place, but to actually adhere to it and report cybersecurity events to DFS. DFS issued a December 21, 2018 Memo regarding the Cyber Regulation’s first two years and next steps, wherein it indicates that “the Department has received approximately 1,000 notices of cybersecurity events from regulated institutions.” In fact, according to DFS, “a significant number of events reported to DFS involved breaches that stemmed from employees providing credentials in response to attractive emails that trick a user to provide confidential information” and other access issues involve “credentials churning” and phishing scams. DFS’ Memo stresses the important of “multi-factor authentication (500.12), encryption (500.15) and training (500.14).