While the New York Department of Financial Services' Cybersecurity Regulation, 23 NYCRR 500, may be in the rear-view mirror - it went into effect back on March 1, 2017 - it doesn't mean there aren't any remaining deadlines to adhere to.
For the first time since the Cybersecurity Regulation was implemented, Covered Entities need to certify their compliance with 23 NYCRR 500 as it pertains to third party service providers. The deadline - February 15, 2020 - is the last imposed by NYDFS, and is outlined in section 500.11 of the regulation.
That means following the holidays if they haven’t already done so, organizations will have roughly six weeks to ensure that they've completed a risk assessment around the appropriate controls for third party service providers.
Originally released on February 16, 2017, NYDFS’ Cybersecurity Regulation imposes a set of cybersecurity requirements (.PDF) for covered entities that operate under NYDFS licensure, including banks, mortgage companies, insurance firms, licensed lenders, private bankers, and service providers. The regulation was formed to "promote the protection of customer information as well as the information technology systems of regulated entities."
Under 500.11, organizations need to demonstrate that they've developed and implemented written policies and procedures to ensure the security of information systems and nonpublic information (NPI) that's either accessible or held by third party service providers.
500.01 - NYDFS' definition section - defines third party service providers, or TPSPs, as any person that isn't an affiliate of the Covered Entity that provides services and maintains, processes or is permitted to access nonpublic information through its provision of services. Typically this could be anything from a payroll service provider to a backup and recovery provider to a cloud-based service provider - anything that could act as a repository for customer NPI.
The certification of compliance deadline has been viewed as one of the more challenging ones; hence the 2020 deadline, two years after Feb. 2018, when the first transitional phase of regulation went into effect.
Given Covered Entities often have multiple TPSPs involved with data on a day to day basis, there are a handful of hoops organizations need to jump through in order to certify compliance and mitigate risk.
February 15 is also the date that Covered Entities and licensed persons who aren't fully exempt from the Regulation need to submit a Certification of Compliance attesting to their compliance for the 2019 calendar year.
As we noted, this is the last certification of compliance deadline; two other deadlines expired earlier this year - on February 15, 2019 and March 1, 2019 - with the passage of the regulation's two-year transition period.
Covered Entities needed to demonstrate that they’d applied the effective requirements in 23 NYCRR 500 last year in order to give its third-party vendors a year to shore up compliance. That year runs out in two months.