Entities that the New York State Department of Financial Services (DFS) will soon complete the compliance filings that the financial services cybersecurity regulation requires. This year they will notice a change.
The DFS regulates entities in the banking, financial services, and insurance sectors. These entities must submit a statement by April 15 each year about the state of their compliance with the regulation’s requirements. Before this year, they had to submit a statement that they were complying with them during the prior calendar year.
An amendment to the regulation that took effect last November 1 expanded that requirement. Entities will have to complete and submit one of two forms:
Your agency will complete and submit the first one if it “materially complied” with the regulation’s requirements during the prior calendar year. The agency must base this on records that support the conclusion.
The agency must submit the second one If it did not meet the requirements in one or more sections of the regulation that apply to it. The person completing this form must:
- Acknowledge that the agency did not “materially comply” with all the regulation’s requirements during the prior year.
- Identify the sections the agency did not comply with.
- Describe what the agency failed to do and how big the failure was.
- Either affirm that the agency has since met the requirements or provide a timeline for eventual compliance.
The agency’s highest-ranking executive and its chief information security officer (CISO) must sign whichever form the agency submits. If the agency does not have a CISO, the senior officer responsible for the agency’s cybersecurity program must sign it instead. Most Big I New York members do not have a CISO. If the highest-ranking executive and the person responsible for cybersecurity are the same person, that person must sign it in both spaces.
Your agency must retain the documents supporting its filing for five years.
If you are one of the 92% of Big I New York members who qualify for the limited exemption, you must certify compliance or acknowledge noncompliance only with those sections of the regulation that apply to you.
Two things that have not changed:
- Your licensed employees who your agency’s cybersecurity program covers do not have to submit either of these forms. They should have submitted a Notice of Exemption and given Section 500.19(b) as the reason.
- The regulation does not require the agency or its licensed employees to submit the Notice of Exemption again unless something has changed. An employee who changed employers or their name must submit a new one. So does an agency that grew too large to qualify under one of the three criteria for the limited exemption. If none of that is the case, the regulation does not require a Notice of Exemption every year. We have spoken with members who have done this unnecessary work.
More information is always available at: