Entities and individuals subject to the cybersecurity regulations from the New York State Department of Financial Services (“DFS”) will see a change to this year’s filing deadlines.
Under the original regulations (23 N.Y.C.R.R. Part 500 [“Part 500”]) published on March 1, 2017, regulated entities and licensed individuals were required to certify compliance with Part 500 by February 15, 2018, and every year thereafter on that date, by submitting a written certification to the DFS Superintendent. However, DFS appears to have made a recent change to this deadline. Entities and individuals now have until April 15, 2020 to file their certifications of compliance for the calendar year of 2019, and this new deadline will apply to each year going forward.
Some entities and individuals may have already determined that they are exempt from compliance with a portion of these cybersecurity regulations. According to the Cybersecurity Resource Center on the DFS website, entities that previously filed an exemption in 2019 do not need to re-file their exempt status, but entities that have newly determined their exempt status, or that last filed an exemption prior to 2019 must file an Initial Notice of Exemption prior to April 15, 2020.
Notably, the change to the certification deadline is not yet reflected in the regulations and, for now, is only communicated through the DFS website. These types of quick, seemingly unofficial changes are just another aspect of a regulatory, as opposed to a statutory, scheme. Under a regulatory scheme, such as Part 500, the agency tasked with enforcement may give guidance that materially alters compliance obligations. If that guidance conflicts with regulations, it is unenforceable, but few regulated entities wish to be the first to challenge their primary regulator when it comes to regulatory guidance. With that in mind, covered entities under Part 500 should keep a weather eye on both the State Register—for any changes in Part 500 itself—and on guidance from DFS—for example on its Part 500 Cybersecurity Resource Center page.