- Compliance Services
- Cybersecurity & Risk
- Performance Services
- Technology Solutions
- Events & Education
Last week the New York State Department of Financial Services closed its request for comments on its new cyber regulations, Article 24 Part 500. The rule will require new cybersecurity measures for firms that meet the rules’ definition of “Covered Entity.” Among other things, firms will be required to self-certify their compliance (see Appendix A of Part 500). The final regulation will go into effect in March 2017, and there are various transition periods set out for compliance.
What are the requirements?
In summary, the rule will require industry standard best practices for cybersecurity programs. The rule will require firms to:
Who does this apply to?
The rule defines “Covered Entity” as “any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.”
It is our understanding that a firm that is solely an SEC-registered investment adviser, and that has no banking or insurance business regulated by New York State, will not be a “Covered Entity” subject to the rule – even if the firm notice files in New York. However, advisers that also engage in insurance or banking business supervised by New York regulators may be covered. Because the determination of what firms are and aren’t a “Covered Entity” may be unclear in many situations, clients are advised to consult on this question with legal counsel.
Even if NY’s Article 24 Part 500 may not be applicable to your firm, it sets out a framework that may be followed by other states, and provides a clear set of guidelines for firms to consider. For ACA Aponix clients that have engaged us for our flagship services, nearly all elements of Part 500 are covered.
If you have questions related to cybersecurity requirements noted in Article 24 Part 500 or would like more information about our flagship services, please contact Henry Lindemann.