Main Menu
Print PDF

New York State Department of Financial Services Publishes FAQs and "Key Dates" for its Cybersecurity Regulation

Cyber Law and Data Protection Alert | April 27, 2017
By: Joshua Mooney

The New York Department of Financial Services (NY DFS) has published FAQs and “Key Dates” to assist companies in complying with its new cybersecurity regulation, which became effective last month on March 1, 2017. 

The FAQs include:

    • Under 23 NYCRR 500.17(a), is a Covered Entity required to give notice to the Department when a Cybersecurity Event involves harm to consumers? Yes.
    • Is a Covered Entity required to give notice to consumers affected by a Cybersecurity Event? Yes, under New York’s information security breach and notification law – General Business Law § 899-aa.
    • Are the DFS-authorized New York branches, agencies and representative offices of out-of-country foreign banks required to comply with 23 NYCRR Part 500? Yes.
    • Is a Covered Entity required to certify compliance with all the requirements of 23 NYCRR 500 on February 15, 2018? Yes. Covered Entities are required to submit the first certification under 23 NYCRR 500.17(b) by this date. This initial certification applies to and includes all requirements of 23 NYCRR Part 500 for which the applicable transitional period under 23 NYCRR 500.22 has terminated prior to February 15, 2018. Accordingly, Covered Entities will not be required to submit certification of compliance with the requirements of 23 NYCRR 500.04(b), 500.05, 500.06, 500.08, 500.09, 500.12, 500.13, 500.14 and 500.15 until February 15, 2019, and certification of compliance with 23 NYCRR 500.11 until February 15, 2020.
    • May a Covered Entity submit a certification under 23 NYCRR 500.17(b) if it is not yet in compliance with all applicable requirements of Part 500? No. NY DFS “expects full compliance” with the regulation.
    • When is a Covered Entity required to report a Cybersecurity Event under 23 NYCRR 500.17(a)? Reportable events must be reported to the superintendent of certain Cybersecurity Events as promptly as possible but in no event later than 72 hours from a determination that a reportable Cybersecurity Event has occurred. 
    • How should a Covered Entity submit Notices of Exemption, Certifications of Compliance and Notices of Cybersecurity Events? Cybersecurity Notices of Exemption should be filed electronically via the DFS Web Portal.

“Key Dates” identified by NY DFS are:

    • March 1, 2017 - 23 NYCRR Part 500 became effective.
    • August 28, 2017 - 180 day transitional period ends. Covered Entities are required to be in compliance with requirements of 23 NYCRR Part 500 unless otherwise specified.
    • September 27, 2017 - Initial 30 day period for filing Notices of Exemption under 23 NYCRR 500.19(e) ends. Covered Entities that have determined that they qualify for a limited exemption under 23 NYCRR 500.19(a)-(d) as of August 28, 2017 are required to file a Notice of Exemption on or prior to this date.
    • February 15, 2018 - Covered Entities are required to submit the first certification under 23 NYCRR 500.17(b) on or prior to this date.
    • March 1, 2018 - One year transitional period ends. Covered Entities are required to be in compliance with the requirements of sections 500.04(b), 500.05, 500.09, 500.12 and 500.14(b) of 23 NYCRR Part 500.
    • September 3, 2018 - Eighteen month transitional period ends. Covered Entities are required to be in compliance with the requirements of sections 500.06, 500.08, 500.13, 500.14(a) and 500.15 of 23 NYCRR Part 500.
    • March 1, 2019 - Two year transitional period ends. Covered Entities are required to be in compliance with the requirements of 23 NYCRR 500.11.

For more information, or if you have any questions or would like to discuss the NY DFS regulation, please contact Josh Mooney (mooneyj@whiteandwilliams.com; 215.864.6345), Jay Shapiro (shapiroj@whiteandwilliams.com; 212.714.3063) or another member of our Cyber Law and Data Protection Group. 

This correspondence should not be construed as legal advice or legal opinion on any specific facts or circumstances. The contents are intended for general informational purposes only, and you are urged to consult a lawyer concerning your own situation with any specific legal question you may have.
Back to Page