The first annual deadline for all regulated entities and licensed persons to file a Certification of Compliance (“Certification”) under the Department of Financial Services’ (“DFS” or “Department”) Cybersecurity Regulation (“Regulation”) was February 15, 2018. In the weeks following the certification deadline, the Department has issued notices to entities and licensees that it believes have failed to file a Certification.

Phillips Lytle’s Data Security & Privacy Practice Team can assist regulated entities and licensed persons who receive such DFS notices in assessing their compliance with the Regulation, ascertaining the status of any applicable exemptions and corresponding obligations, and determining how to proceed after receiving a notice.

The Department has also provided the following guidance about the notices it issued pursuant to the Regulation.

The DFS’ Answers to Key Questions:

  1. Why did I receive this notice?
    All regulated entities and licensed persons of the DFS were required to file a Cybersecurity Regulation Certification of Compliance under 23 NYCRR 500 by February 15, 2018. Our records indicate that to date,  you have not made such filings under the Regulation. Please be aware that if you hold more than one license,  you need to file a separate Certification for each license  you hold.
  2. What if I am late with my filing?
    All Covered Entities that have failed to submit the Certification and that are in compliance with the Regulation should do so via the DFS Secure Portalopens in a new window as soon as possible. The DFS Certification is a critical governance pillar for the cybersecurity program of DFS-regulated entities, and the DFS takes compliance with the Regulation seriously. The Department will consider a failure to submit a Certification of Compliance as an indicator that the cybersecurity program of the Covered Entity has a substantive deficiency.
  3. What if I filed for an exemption from the Cybersecurity Regulation?
    Those who received the reminder are required to file the Certification even if you filed for an exemption under  23 NYCRR Part 500.19. These exemptions have been tailored to address particular circumstances and include requirements that the Department believes are necessary for exempted entities. Covered Entities are required to file a Certification to confirm that they are in compliance with those provisions of the Regulation that apply to the Covered Entity.
  4. I have a receipt showing I already filed.
    Please look at the receipt. If the receipt number you received begins with an “E,” then it is a receipt for filing a Notice of Exemption and not a receipt for filing the required Certification of Compliance. Your exemption does not excuse the filing notice below. The Certification is to cover the period as of December 31, 2017, for all requirements of the Regulation in force by that date. If the receipt number starts with a “C,” please e-mail cyberregcomments@dfs.ny.gov with your name, license number and the receipt number from your cybersecurity Certification of Compliance filing.
  5. When will I receive a reply to my e-mail?
    DFS will reply to e-mails received in the above e-mail box within 30 days.
  6. Does this apply to me?
    Section 500.01 (c) defines a Covered Entity for purposes of the Regulation as “any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.” You will need to determine the applicability of the Regulation to your particular circumstances.
  7. How do I file a Certification of Compliance?
    Certifications of Compliance should be filed electronically via the DFS Secure Portalopens in a new window. Please click the big orange box in the upper right-hand corner that reads “Cybersecurity Filing.” The Covered Entity will first be prompted to  create an account and log in to the DFS Web Portal,  then directed to the filing interface. Filings made through the DFS Secure Portal are preferred to alternative filing mechanisms because there is a secure reporting tool to facilitate compliance with the filing requirements of 23 NYCRR Part 500.

Additional Assistance

For additional questions about the recently issued Cybersecurity Regulation notices, please contact Jennifer A. Beckage at (716) 847-7093, jbeckage@phillipslytle.com, or any member of the firm’s Data Security & Privacy Practice Team.