Article by Brian Edelman, Financial Computer CEO. Link to the article: Financial Planning Association Practice Management Blog.
Under the new NYDFS cybersecurity regulation (23 NYCRR Part 500), any individual operating with a license, registration, or similar authorization under New York banking, insurance or financial services is required to assess their security risk profile, design a cyber program that addresses their risks and file an annual certification that confirms they are in compliance with regulations.
September 27, 2017 is the deadline for filing your Notices of Exemption and failure to do so on time will cost your firm thousands if it would have qualified for the Limited Exemption.
You may qualify for a limited exemption if you meet any one of the following (the following information is from the New York Department of Financial Services and is available here.
Section 500.19 (a)(1): Have fewer than 10 employees, including any independent contractors, of the Covered Entity or its Affiliates located in New York or responsible for business of the Covered Entity
Section 500.19 (a)(2): Less than $5,000,000 in gross annual revenue in each of the last three fiscal years from New York business operations of the Covered Entity and its Affiliates
Section 500.19 (a)(3): Less than $10,000,000 in year-end total assets, calculated in accordance with generally accepted principles, including assets of all Affiliates
Section 500.19 (b): An employee, agent, representative or designee of a Covered Entity, who is itself a Covered Entity, is exempt from this Part and need to develop its own cybersecurity program to the extent that the employee, agent, representative or designee is covered by the cybersecurity program of the Covered Entity
Section 500.19 (c): A Covered Entity that does not directly or indirectly operate, maintain, utilize or control any Information Systems, and that does not, and is not required to, directly or indirectly control, own, access, generate, receive or possess Nonpublic Information shall be exempt from the requirements of sections 500.02, 500.03, 500.04, 500.05, 500.06, 500.07, 500.08, 500.10, 500.12, 500.14, 500.15 and 500.16 of this Part
Section 500.19 (d): A Covered Entity under Article 70 of the Insurance Law that does not and is not required to directly or indirectly control, own, access, generate, receive or possess Nonpublic Information other than information relating to its corporate parent company (or Affiliates) shall be exempt from the requirements of sections 500.02, 500.03, 500.04, 500.05, 500.06, 500.07, 500.08, 500.10, 500.12, 500.14, 500.15, and 500.16 of this Part
To file for an exemption: log into the NYDFS Portal and file. Save the email you receive after filing for evidence.
Key Dates Under New York’s Cybersecurity Regulation (23 NYCRR Part 500)
Here are other important dates to know when it comes to the new regulation (the following information is from the New York Department of Financial Services and is available here.
- March 1, 2017: 23 NYCRR Part 500 becomes effective.
- August 28, 2017: 180-day transitional period ends. Covered Entities are required to be in compliance with requirements of 23 NYCRR Part 500 unless otherwise specified.
- September 27, 2017: Initial 30-day period for filing Notices of Exemption under 23 NYCRR 500.19(e) ends. Covered Entities that have determined that they qualify for a limited exemption under 23 NYCRR 500.19(a)-(d) as of August 28, 2017 are required to file a Notice of Exemption on or prior to this date.
- February 15, 2018: Covered Entities are required to submit the first certification under 23 NYCRR 500.17(b) on or prior to this date.
- March 1, 2018: One-year transitional period ends. Covered Entities are required to be in compliance with the requirements of sections 500.04(b), 500.05, 500.09, 500.12 and 500.14(b) of 23 NYCRR Part 500.
- September 3, 2018: Eighteen-month transitional period ends. Covered Entities are required to be in compliance with the requirements of sections 500.06, 500.08, 500.13, 500.14(a) and 500.15 of 23 NYCRR Part 500.
- March 1, 2019: Two-year transitional period ends. Covered Entities are required to be in compliance with the requirements of 23 NYCRR 500.11.
If you need assistance filing for an exemption, Financial Computer is providing complimentary assistance for FPA members. Click here to schedule some time with one of our cybersecurity experts.
Brian Edelman is a cybersecurity expert and the CEO of Financial Computer, Inc., a company that provides cybersecurity, integrations and IT support to the financial services community.
