If you are an individual or company regulated by the New York State Department of Financial Services (NYDFS), you may have received an email from NYDFS reminding you to submit your Certification of Compliance as soon as possible. New York’s relatively new cybersecurity regulation, 23 NYCRR 500 (the Regulation), requires all people and companies covered by the Regulation (Covered Entities) to file an annual statement by February 15 certifying that the entity was compliant (Certification of Compliance) with the Regulation as of December 31 of the prior calendar year.

If you have not filed yet, please consider the following points:

  • NYDFS advises that Covered Entities should file as soon as possible. The filing system is relatively user friendly. You have to file via the portal. NYDFS has stated that it “will consider a failure to submit a Certification of Compliance as an indicator that the cybersecurity program of the Covered Entity has a substantive deficiency.”
  • The certification needs to be done by a senior officer or board of directors and one Certification of Compliance needs to be filed for each license held by the Covered Entity.
  • Some Covered Entities did not file because they claimed an exemption under 23 NYCRR 500.19 and believed that this exempted them from filing a Certification of Compliance. NYDFS has advised that all Covered Entities claiming an exemption are required to file a Certification of Compliance except those who have claimed an exemption under 23 NYCRR 500.19(b). This exemption applies to Covered Entities who are employees of covered entities.
  • The Regulation contains a transition component. The Certification of Compliance only applies to those provisions in effect as of December 31, 2017.
  • Finally, NYDFS is aware that this is the first year that the Certification of Compliance was required. NYDFS has set up a FAQ page to address these and other issues. Additional questions can be submitted to NYDFS at cyberregcomments@dfs.ny.gov.

If you have questions about filing your Certification of Compliance or how New York’s Cybersecurity regulation impacts you or your business, please contact a member of Goldberg Segalla’s Insurance Regulatory or Cybersecurity and Data Privacy teams.

By Aaron J. Aisen of Goldberg Segalla