On February 13, 2017, the New York Department of Financial Services (NYDFS) adopted the final version of its first-of-its-kind cybersecurity regulation, “Cybersecurity Requirements For Financial Services Companies” (23 NYCRR 500). This regulation took effect on March 1, 2017. The final regulation reflects several of the comments offered during the final comment period that concluded on January 27, 2017. For a prior list of significant changes from the initial version to the second version, please see our blog post located here.
Most of the changes that are contained in the final regulation consist of formatting and technical changes. Some new provisions clarify already existing provisions, e.g., Section 500.17(b) clarifies that the annual report to the Superintendent should be a report on the prior year. Other minor changes include record retention requirements outlined in Section 500.06(b).
However, perhaps the most significant material change in the final regulation dealt with the limited exemption categories outlined in Section 500.19(a). The prior version provided a limited exemption for those with:
“(1) fewer than 10 employees including any independent contractors, or
(2) less than $5,000,000 in gross annual revenue in each of the last three fiscal years, or
(3) less than $10,000,000 in year-end total assets, calculated in accordance with generally accepted accounting principles, including assets of all Affiliates. . . .”
These provisions did not limit the requirements to New York operations only.
The final version of Section 500.19(a) adds a New York operations component to two of the three categories above Specifically, the new version of Section 500.19(a) provides a limited exemption for entities with:
(1) fewer than 10 employees, including any independent contractors, of the Covered Entity or its Affiliates located in New York or responsible for business of the Covered Entity, or
(2) less than $5,000,000 in gross annual revenue in each of the last three fiscal years from New York business operations of the Covered Entity and its Affiliates, or
(3) less than $10,000,000 in year-end total assets, calculated in accordance with generally accepted accounting principles, including assets of all Affiliates. . . .
The final version of Section 500.19 also retains the exemptions, included in the second version of the new regulation, for:
- captive insurance companies organized under Article 70 of the New York Insurance Law;
- charitable annuity societies organized under Section 1110 of the New York Insurance Law;
- non-domestic risk retention groups organized under Section 5904 of the New York Insurance Law; and
any accredited reinsurer or certified reinsurer that has been accredited or certified pursuant to 11 NYCRR Part 125.
The regulation retains the transitional periods outlined in Section 500.22.
A copy of the official summary of the regulation is located here.
A copy of the revised proposed regulation issued in December 2016 (for purposes of comparison) is located here.