High Noon For NY Cybersecurity Compliance

February 1, 2019 at 9:26 am 2 comments

Image result for high noonTo underscore the importance of New York’s cybersecurity regulations, departing Superintendent Maria Vullo issued a statement yesterday reminding entities subject to New York’s cybersecurity mandates that two key deadlines are fast approaching.

As readers of this blog know, om March 2017, DFS   required  state chartered banks, credit unions and other entities which are also subject to New York’s licensing and charter requirements such as title insurance companies and mortgage bankers to start implementing NY’s “first in the nation” cybersecurity regulations. These new regulations are comprehensive and mandate that covered entities implement extensive protocols to protect personal information from cyber-attacks. February 15th marks the second year that institutions subject to these regulations must show that they are in compliance with most of its provisions.

Here are the phasing periods according to a Q&A provided by the DFS: Covered Entities are  required to submit certification of compliance with the requirements of 23 NYCRR 500.04(b), 500.05, 500.06, 500.08, 500.09, 500.12, 500.13, 500.14 and 500.15 by February 15, 2019, and certification of compliance with 23 NYCRR 500.11 by February 15, 2020. I underlined this last section because it’s trickier than it seems. Although you don’t have to certify your compliance with 500.11 until 2020, that section actually becomes effective in March of this year (The transition periods are laid out in 500.22.)

The core of Section 500.11 is a requirement that your institution have policies and procedures in place to safeguard non-public information to which third-parties such as vendors have access. You have to implement this framework based on an assessment of each third-party’s risk. Due diligence and ongoing oversight are expected for your biggest risks. This could take the form of for example, mandating that your providers comply with relevant guidelines and updated contractual provisions coupled with appropriate review to make sure that the right safeguards are actually in place. Ultimately you should sit down with your compliance, IT and legal people and discuss what expectations you are going to impose based on a given vendor’s level of risk.

Enjoy the Superbowl, see you on Monday.


Entry filed under: Compliance, New York State, Regulatory, technology. Tags: , , .

Are The Stars Aligning for Sensible Data Privacy Reform? GAO Report Underscores Need For a National Fintech Framework

2 Comments Add your own

  • 1. Ed Lis  |  February 1, 2019 at 11:02 am

    Henry because our federal charter, are we subject to the NYS regulation?

    • 2. Henry Meier  |  February 1, 2019 at 12:25 pm

      No but if they have a CUSO like a mortgage bank or title insurance company those entities would be


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

Trackback this post  |  Subscribe to the comments via RSS Feed

Authored By:

Henry Meier, Esq., Senior Vice President, General Counsel, New York Credit Union Association.

The views Henry expresses are Henry’s alone and do not necessarily reflect the views of the Association. In addition, although Henry strives to give his readers useful and accurate information on a broad range of subjects, many of which involve legal disputes, his views are not a substitute for legal advise from retained counsel.

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 587 other followers