New York’s New Reg, Explained

Last week, the New York State Department of Financial Services (NYSDFS) published the final version of its cybersecurity rule, which takes effect on March 1, 2017. The Council’s outside counsel, Steptoe & Johnson, has provided a memo (members only, must be logged in to ciab.com to download) highlighting the scope of the exemptions, the dates for specific requirements and an analysis of the proposed rule.

While the final rule is generally identical to the substantive requirements of the last version of the proposed rule, one fundamental change regarding the scope of exemptions has been modified to provide that firms and their affiliates, with one of the following qualifications, are completely exempt from several of the more onerous and prescriptive components of the rule:

  1. Fewer than 10 employees (including independent contractors) located in New York;

OR

  1. Less than $5,000,000 in gross annual revenue in each of the prior three fiscal years from New York business operations;

OR

  1. Less than $10,000,000 in year-end total assets

As a result, brokerage and insurance companies that meet one of the above criteria will only have to comply with the first five requirements under the rule:

  1. A cybersecurity program based on the risk assessment of the covered entity
  2. A written cybersecurity policy approved by each entity’s senior officer or board of directors
  3. Periodic risk assessments to inform design of the cybersecurity program
  4. Policies and procedures applicable to third-party vendors
  5. Proper notices to the NYSDFS Superintendent within 72 hours of a “cybersecurity event”

Technically, the rule goes into effect on March 1, 2017, but covered entities generally will have until August 28, 2017 to transition into compliance with it. The rule also provides delayed compliance dates for many of the specific requirements.

For questions or concerns, please contact The Council’s John Fielding at john.fielding@ciab.com.