Regulated financial entities in New York State caught in a balancing act between usual work and dealing with the repercussions of COVID-19 have a little bit longer to file a Certificate of Compliance now.
In light of the ongoing coronavirus (COVID-19) crisis, the New York Department of Financial Services (NYDFS) recently extended its Cybersecurity Regulation Certificate of Compliance filing deadline from April 15 to June 1.
Entities regulated by NYDFS like banks, insurance companies, and other financial service companies need to file a Certificate of Compliance annually through NYDFS' Cybersecurity portal. Filing the certification, a key part of the department's Cybersecurity Regulation (23 NYCRR 500) demonstrates that each entity has complied with the regulation and has a cybersecurity program in place to protect the confidentiality, integrity, and availability of the organization's networks and systems. If an organization hasn't already filed a certificate attesting to their compliance for the 2019 calendar year, they now have another 45 days to do so.
The postponement is one of several actions taken by NYDFS to better accommodate banks, credit unions and other financial institutions - entities that fall under NYDFS – struggling with uncertainties introduced by COVID-19. The news follows an announcement by NYDFS that it was seeking a COVID-19 preparedness plan by all entities to outline how each was planning to mitigate risk introduced by the virus.
News NYDFS was extending its filing deadline came in a document it released recently, "Order Granting Temporary Relief to COVID-19 Affected Regulated Entities and Persons." In addition to certifications of compliance with cybersecurity requirements and transaction monitoring and filtering programs, NYDFS said it'd also be postponing a slew of reports, including:
- Annual Reports and Comparative Statements of commercial banks, trust companies, stock-form savings banks and stock-form savings and loan associations, as required by 3 NYCRR 24;
- Annual Reports of licensed lenders, sales finance companies and money transmitters, as required by Sections 349, 497.1, 498-b and 646.3 of the Banking Law, respectively;
- Quarterly Reports of budget planners as required by 3 NYCRR 402.4;
- Audited Financial Statements of budget planners as required by Section 582 of the Banking Law and 3 NYCRR 402.12(c);
- Annual Reports and Audited Financial Statements of check cashers as required by 3 NYCRR 400.3;
- Volume of Operation Reports of mortgage bankers and mortgage brokers as required by 3 NYCRR 410.7;4
- Volume of Servicing Reports of mortgage loan servicers as required by 3 NYCRR 419.8;
- Quarterly Financial Statements of virtual currency licensees as required by 23 NYCRR 200.14(a); and
- Annual Reports of student loan servicers as required by Section 717.2(a) of the Banking Law and 3 NYCRR 409.11(a).
Of course, it's important to note that just because the NYDFS is pushing back its certification deadline doesn't give banks a free pass when it comes to ensuring that cybersecurity safeguards are in place.
In the event of a cybersecurity event, like a breach, organizations still need to notify consumers under New York’s information security breach and notification law. 23 NYCRR 500 similarly requires organizations have post-breach communication plans in place, including notices to affected customers and to the department itself disclosing the incident.
Failure to comply NYDFS' Cybersecurity Regulation could cost an organization $2,500 a day, $15,000 a day for egregious violation, or $75,000 a day for knowing or willful violations.