New York’s Department of Financial Services issued its final Cybersecurity Regulation last night with an effective date of March 1, 2017. For a comparison between the previous proposal and the final regulation, please click here.
The changes from the prior draft—issued on December 28, 2016—are generally minor and not substantive, with one exception. The final regulation broadens and clarifies the limited exemption, which exempts entities from a number of regulatory requirements, contained in Section 500.19 of the regulation. The limited exemption now applies to the following:
- Entities with “fewer than 10 employees including any independent contractors of the Covered Entity or its Affiliates located in New York or responsible for business of the Covered Entity”;
- Entities with “less than $5,000,000 in gross annual revenue in each of the last three fiscal years from New York business operations of the Covered Entity and its Affiliates”; or
- Entities with” less than $10,000,000 in year-end total assets, calculated in accordance with generally accepted accounting principles, including assets of all Affiliates.”
The final regulation also contains a limited exemption for captive insurance companies. We will post a more in-depth analysis of the final regulation next week.