Not a Bank or Insurer? The NY Department of Financial Services Cyber Regulations Could Still Apply to You
Now that the New York Department of Financial Services (“DFS”) cybersecurity regulations have partially gone into effect (as of March 1st), you may be wondering: Does this apply to my company? (Don’t worry, you have 180 days from the first of the month to come into compliance if you are.)
The regulations apply to “Covered Entities,” which include organizations operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under one of three statutes: 1) the NY Banking Law, 2) the NY Insurance Law or 3) the NY Financial Services Law. If that definition seems pretty broad, it is: the DFS oversees banks and insurance companies with assets of more than $7.1 trillion. And that doesn’t take in to consideration the entities being supervised under the Financial Services Law, like virtual currency businesses.
Not sure if you fall under the scope? If your company operates in New York, the first question you should ask is, “Does my company meet the definition of a Covered Entity?” According to the DFS website, the three statutes listed in the definition may apply to a veritable smorgasbord of businesses, such as:
- The Banking Law: state-chartered banks, trust companies and credit unions; certain investment companies; safe deposit companies; branches/offices of foreign banks; mortgage brokers, title insurers, mortgage loan originators, mortgage loan servicers; certain lenders.
- The Insurance Law: “Traditional” insurance companies (e.g. health, life, and property insurers), but also companies that write policies relating to animals, prize indemnification, legal services, financial guaranties, and unemployment, among others; wage bond insurance agents and brokers; bail bond agents.
- The Financial Services Law: budget planners, check cashers, licensed lenders, money transmitters, premium finance agencies, sales finances companies, and virtual currency businesses.
If your company is listed on the DFS website, check out the corresponding statute to see if you are in scope. If you are, the next question you should ask is whether you meet an exemption in the new cyber regulations. For instance, exemptions are available based on size (number of employees and independent contractors), revenue (less than $5 million gross), and assets (less than $10 million), among others.
If after all this your company does appear to meet the definition of Covered Entity, you will have 180 days from March 1st (August 28th, 2017) to comply with the first round of applicable requirements, including the implementation of a cybersecurity program and policy, hiring a CISO, complying with access privileges and personnel/intelligence requirements, having an incident response plan, and being responsible for providing notice of qualifying security breaches to the DFS superintendent. The rest of the requirements in the regulations go into effect either 1 year, 18 months, or 2 years from the effective date.
Finally, it’s important to note that the regulations include a requirement to have a third party service provider security policy, to ensure that systems and nonpublic information that are accessible by such parties are secure. Covered Entities will need to develop minimum cybersecurity practices required to be met by these service providers as a condition of doing business, including those relating to access controls, encryption, and breach notification. As a result, organizations that are third party service providers to Covered Entities could find themselves impacted by the DFS regulations in two years, when the third party service provider requirements go into effect.