Deadline Change for New York State Cybersecurity Certifications of Compliance

Entities and individuals subject to the cybersecurity regulations from the New York State Department of Financial Services (“DFS”) will see a change to this year’s filing deadlines.

Under the original regulations (23 N.Y.C.R.R. Part 500 [“Part 500”]) published on March 1, 2017, regulated entities and licensed individuals were required to certify compliance with Part 500 by February 15, 2018, and every year thereafter on that date, by submitting a written certification to the DFS Superintendent. However, DFS appears to have made a recent change to this deadline. Entities and individuals now have until April 15, 2020 to file their certifications of compliance for the calendar year of 2019, and this new deadline will apply to each year going forward.

Some entities and individuals may have already determined that they are exempt from compliance with a portion of these cybersecurity regulations. According to the Cybersecurity Resource Center on the DFS website, entities that previously filed an exemption in 2019 do not need to re-file their exempt status, but entities that have newly determined their exempt status, or that last filed an exemption prior to 2019 must file an Initial Notice of Exemption prior to April 15, 2020.

Notably, the change to the certification deadline is not yet reflected in the regulations and, for now, is only communicated through the DFS website. These types of quick, seemingly unofficial changes are just another aspect of a regulatory, as opposed to a statutory, scheme. Under a regulatory scheme, such as Part 500, the agency tasked with enforcement may give guidance that materially alters compliance obligations. If that guidance conflicts with regulations, it is unenforceable, but few regulated entities wish to be the first to challenge their primary regulator when it comes to regulatory guidance. With that in mind, covered entities under Part 500 should keep a weather eye on both the State Register—for any changes in Part 500 itself—and on guidance from DFS—for example on its Part 500 Cybersecurity Resource Center page.

Attorney Advertising. Prior results do not guarantee a similar outcome. This publication is provided as a service to clients and friends of Harter Secrest & Emery LLP. It is intended for general information purposes only and should not be considered as legal advice. The contents are neither an exhaustive discussion nor do they purport to cover all developments in the area. The reader should consult with legal counsel to determine how applicable laws relate to specific situations. ©2022 Harter Secrest & Emery LLP