Compliance documentation is due for covered entities April 15. The cybersecurity policy and risk assessment review, among other requirements, are due April 29.
04/12/2024 9:55 P.M.
3 minute read
Key deadlines for New York’s cybersecurity regulations are coming up this month.
Covered entities under New York’s financial services law have until April 29 to comply with the cybersecurity regulations finalized last year.
By April 15, each covered entity must submit documentation of compliance with the state’s requirements, an annual requirement of the New York Department of Financial Services (DFS).
A “covered entity” means any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the banking law, the insurance law or the financial services law, regardless of whether the covered entity is also regulated by other government agencies.
Of note for ACA International members, while collection agencies are generally not covered entities, they will likely qualify as a “third-party service provider” to a covered entity and therefore would be subject to the cybersecurity oversight requirements placed on covered entities.
Page 16 of the DFS cybersecurity requirements (PDF) outlines the notice of compliance due April 15. In general, entities must submit a certification of material compliance or acknowledgement of noncompliance for calendar year 2023. Both annual submissions must be signed by the company’s highest-ranking executive and chief information security officer (CISO)
Overall, the regulations (PDF) aim to ensure cybersecurity risk is integrated into business planning, decision-making and ongoing risk management.
The DFS has provided cybersecurity implementation timelines, which outline key compliances dates for each of the categories of businesses affected by the amendment, ACA previously reported.
This timeline includes key dates for DFS-licensed individual producers, mortgage loan originators, and other businesses that qualify for exemptions under Sections 500.19 (a), (c), and (d) of the amended cybersecurity regulation.
Class A companies are defined in Section 500.1(d) of the cybersecurity regulation.
This timeline includes key dates for DFS-licensed entities that are not Class A companies and that do not qualify for exemptions under the amended cybersecurity regulation.
By April 29, covered entities must review risk assessments and cybersecurity policies, conduct testing of information systems, and have a monitoring process in place to provide prompt notice of security vulnerabilities. Cybersecurity awareness training must include social engineering and be provided at least annually.
Future deadlines include Nov. 1, 2024, when CISO reports must be updated to include plans for remediating material inadequacies and a policy requiring encryption that meets industry standards, among other requirements in the timeline for covered entities (PDF). By May 1, 2025, entities must conduct automated scans of information systems and manual review of systems not covered by the scans, among other requirements.
Learn More
ACA’s compliance team covered the amended regulations in the Nov. 14, 2023, State Guide Cohort webinar, available for subscribers on the State Guide Cohort website.
Already a State Guide subscriber? View your online State Guide and find registration information for the monthly webinars here.
Ready to subscribe? Visit the State Guide page in our store to join the Cohort today and access archived materials.
Protect Yourself
It’s critical to make sure your cyber liability insurance is current, and coverage is easy and affordable for ACA members. Collectors Insurance Agency (CIA), a subsidiary of ACA, provides members exclusive access to risk management products and services tailored to each members’ specific needs. Cyber insurance is an ever-changing market, and with the help of CIA’s partners Aon and Axis, members can obtain the coverage they need to meet today’s—and tomorrow’s—challenges.
Remember, subscribe to ACA Daily and Member Alerts under your My ACA profile when logged in to acainternational.org to receive updates on the ACA Huddle.