Dec 27, 2019

Deadline extension: If you are licensed in New York: N.Y.’s cyber security certification of compliance due April 15, 2020

Under New York’s Department of Financial Services cyber security regulation (23NYCRR 500) all covered entities are required to certify each year that they are in compliance with the regulation. Entities cannot certify until Wednesday, Jan. 1, 2020, but the DFS has begun to send notices to covered entities of the certification requirement. All covered entities and licensed persons who are not fully exempt from the regulation are required to submit a Certification of Compliance no later than Wednesday, April 15, 2020, attesting to their compliance for the 2019 calendar year. More on filing instructions. When filing, covered entities will need to use an identifying number. The identifying numbers are: NYS License number, NAIC/NY Entity number, NMLS number or Institution number.

You will receive an email that includes a receipt number for all filings you complete. The receipt will indicate the year the filing was made. The receipt also will indicate the type of filing made: Notice of Exemption will have a receipt number that begins with the letter “E.” Certifications of Compliance will have a receipt number that starts with the letter “C.” You should maintain a copy of this email in your records for future reference.

Unlike in previous years, those who qualified and filed for a limited exemption in 2019 do not need to file a new exemption in 2020. However, if there has been any change in exemption status, covered entities should amend or terminate its exemption. Please note: If you qualify for a limited exemption you must still file the certification of compliance.