New York Rule 500 dictates NY financial institutions must certify cybersecurity programs by February 15, 2018

New York State is the first in the U.S. to impose a comprehensive cybersecurity regulation on financial institutions, and the regulation, “Cybersecurity Requirements for Financial Services Companies,” (also known as NY Rule 500 or 23 NYCRR Part 500) has a key deadline on the horizon. February 15, 2018 is the date by which the entities are required to submit the first certification under Section 500.17(b).

The rule requires the New York regulated entities to create and maintain a cybersecurity program which protects the confidentiality, integrity and availability of their information system, while also considering risk factors and tolerance. Unlike the cybersecurity program deadline imposed on U.S. Defense contractors, the deadlines for the financial services sector roll out in phases.

The certification required is a written statement that documents the problems and gaps identified, as well as the plan of action on how to remediate these issues. It will be due every year on February 15th.

Is New York irrelevant to you? Not so fast. The New York rule has become the model for other state and organizational frameworks – and now has nationwide impact. For example, in October 2017, the National Association of Insurance Commissioners (NAIC) adopted the Insurance Data Security Model Law. This “Model Law” is similar to the New York law, but has wider reach. NAIC states that it “is the U.S. standard-setting and regulatory support organization created and governed by the chief insurance regulators from the 50 states, the District of Columbia and five U.S. territories.” So, it’s worth paying attention to this New York rule annual deadline, because they will likely be replicated.

By Colleen H. Johnson, Sera-Brynn Senior Legal Analyst