Jan 2, 2019

If you are licensed to do business in N.Y.: Annual recertification for cyber security certification of compliance is Feb. 15, 2019

As required by the New York state cyber security regulation (23 NYCRR 500), all covered entities must certify compliance annually with the New York State Department of Financial Services. This certification must be filed via the NYDFS web portal between Jan. 1 and Feb. 15, 2019, and applies to all effective sections of the regulation.

Since the Feb. 15, 2018 certification, additional sections of the regulation have gone into effect. Thus, in addition to the sections you filed compliance with in 2018; you must certify compliance with following additional sections:

Covered entities who qualify for the limited exemption must now also certify compliance with 500.09 and 500.13.

Those who do not qualify for the limited exemption must certify compliance with eight additional sections: 500.05, 500.06, 500.08, 500.09, 500.12, 500.13, 500.14 and 500.15.

The only section of the regulation that has not gone into effect is NYCRR 500.11—Third-Party Service Provider Security Policy. Certification of compliance with this section is not required until Feb. 15, 2020.

NYDFS also announced that limited exemptions filed in 2017 and 2018 have expired. Any NYDFS-regulated entity or licensed person that is currently entitled to a limited exemption must file an Initial Notice of Exemption prior to the Feb. 15, 2019, due date for the annual Certification of Compliance.

For more information on the cyber security regulation, check out the cyber security section of PIA’s Privacy Compliance Central tool kit, which contains the NYDFS’ s FAQ and several additional Ask PIA FAQs.