Privacy & Cybersecurity Law Blog

Earlier this month, the New York State Department of Financial Services (“NYDFS”) recently published FAQs and key dates for its cybersecurity regulation (the “NYDFS Regulation”) for financial institutions that became effective on March 1, 2017.

The FAQs address topics including:

• whether a covered entity is required to give notice to consumers affected by a cybersecurity event;
• whether a covered entity may adopt portions of an affiliate’s cybersecurity program without adopting all of it;
• whether DFS-authorized New York branches, agencies and representative offices of out-of-country foreign banks are required to comply with the NYDFS Regulation;
• what constitutes “continuous monitoring” for purposes of the NYDFS Regulation;
• how a covered entity should submit Notices of Exemption, Certifications of Compliance and Notices of Cybersecurity Events; and
• whether an entity can be both a covered entity and a third-party service provider under the NYDFS Regulation.

The NYDFS also listed key dates for the NYDFS Regulation, which include:

• March 1, 2017 – the NYDFS Regulation becomes effective.
• August 28, 2017 – the 180-day transitional period ends and covered entities are required to be in compliance with requirements of the NYDFS Regulation unless otherwise specified.
• September 27, 2017 – the initial 30-day period for filing Notices of Exemption ends.
• February 15, 2018 - covered entities are required to submit the first certification under the NYDFS Regulation on or prior to this date.
• March 1, 2018 – the one year transitional period ends. Covered entities are required to comply with certain requirements such as those related to penetration testing, vulnerability assessments, risk assessment and cybersecurity training.
• September 3, 2018 – the eighteen month transitional period ends. Covered entities are required to comply with audit trail, data retention and encryption requirements.
• March 1, 2019 – the two year transitional period ends. Covered entities are required to develop a third-party service provider compliance program.

In a recent conference of the National Association of Insurance Commissioners, Maria Vullo, the NYDFS superintendent, stated that “The New York regulation is a road map with rules of the road.”