Did You File Your Certification of Compliance with New York State Department of Financial Services Cybersecurity Regulations?

Last Thursday, March 1, 2018, marked the one-year anniversary of the New York State Department of Financial Service's (NYSDFS') promulgation of its trailblazing CYBERSECURITY REQUIREMENTS FOR FINANCIAL SERVICES COMPANIES regulation -- 23 NYCRR Part 500.

As far as I know, large and small insurers alike doing business in New York paid attention and took notice of the regulation's key dates and deadlines:

March 1, 2017 - 23 NYCRR Part 500 becomes effective.  

August 28, 2017 - 180 day transitional period ends. Covered Entities are required to be in compliance with requirements of 23 NYCRR Part 500 unless otherwise specified.  

September 27, 2017 – Initial 30 day period for filing Notices of Exemption under 23 NYCRR 500.19(e) ends. Covered Entities that have determined that they qualify for a limited exemption under 23 NYCRR 500.19(a)-(d) as of August 28, 2017 are required to file a Notice of Exemption on or prior to this date.

February 15, 2018 - Covered Entities are required to submit the first certification under 23 NYCRR 500.17(b) on or prior to this date.  

March 1, 2018 - One year transitional period ends. Covered Entities are required to be in compliance with the requirements of sections 500.04(b), 500.05, 500.09, 500.12 and 500.14(b) of 23 NYCRR Part 500.  

September 3, 2018 - Eighteen month transitional period ends. Covered Entities are required to be in compliance with the requirements of sections 500.06, 500.08, 500.13, 500.14(a) and 500.15 of 23 NYCRR Part 500.  

March 1, 2019 - Two year transitional period ends. Covered Entities are required to be in compliance with the requirements of 23 NYCRR 500.11.

But what about the small-sized licensees of the NYSDFS?  The one- or two-person independent adjusting company or small independent insurance brokerage or agency?  Did they pay attention and comply?

On good authority I understand that late last Friday night the NYSDFS blasted out emails to licensees who had not yet filed their certifications of compliance with the NYSDFS' cybersecurity regulations.  Those who didn't check their work emails over the weekend had quite the not-so-good Monday morning inbox discovery today.

The regulation builds in limited exemptions for certain persons and entities based on size and the type of electronic information collected, processed, maintained, used, shared, disseminated or disposed of, but certain subsections of  Part 500 will apply to all licensees.  For example, for covered entities having fewer than 10 employees and independent contractors or less than $5,000,000 in gross annual revenue in each of the last three fiscal years from New York business operations of the Covered Entity and its Affiliates, only the following subsections of Part 500 apply:

• 500.03 -- implement and maintain a cybersecurity policy
• 500.07 -- limit access privileges  to Information Systems that provide access to Nonpublic Information and periodically review such access privileges
• 500.09 -- conduct periodic risk assessments
• 500.11 -- implement written policies and procedures for Third Party Service Providers
• 500.13 -- include within the Covered Entity's cybersecurity program policies and procedures for secure disposal of Nonpublic Information

The regulation is fairly complex.  Many licensees have retained IT companies to assist in complying with certain subsections of the regulation.  Now one year past the effective date of the new regulation, there are plenty of such companies out there claiming to be experienced in doing so.