Last week, the New York Department of Financial Services (DFS) sent notices to companies that had not yet certified their compliance with the DFS Cybersecurity Regulation. DFS not-so-gently reminds companies to submit a Notice of Exemption or a Certificate of Compliance. A copy of that notice is now available online.

Even for those companies that have already certified their compliance, the notice provides some interesting information. For example:

  • DFS explains that persons or companies that “hold more than one license,” must “file a separate Certification of Compliance for each license” held.
  • Because this is a new regulation, DFS appears to recognize that some covered entities will file a late Certificate of Compliance. For example, the notice asks that “[a]ll Covered Entities that have failed to submit the Certification and that are in compliance with the regulation should do so” as “soon as possible.”
  • Even companies that filed a Notice of Exemption might still need to file a Certificate of Compliance. Covered entities that qualify for Section 500.19’s “Limited Exemption” must still “confirm that they are in compliance with those provisions of the regulation that apply.”

That many covered entities received a notice for not certifying their compliance with the regulation is hardly surprising, especially if located outside of New York. The scope of the regulation is far-reaching, covering “any individual or any non-governmental entity” operating “under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.” Using the insurance industry as an example, there are—by our count—more than 230,000 unique individuals or companies with a New York agent or broker license in the DFS database. And more than 130,000 of those persons or entities have a business address outside of New York.

In light of DFS’s notice, covered companies and individuals should work diligently to certify their compliance as soon as possible.

The next major compliance date under the DFS regulation is September 3, 2018, when the 18-month transition period ends. We’ll discuss those requirements in a future blog post.