If you are a Limited Liability Company (LLC) you will be interested in this. Several Big I New York members reached out to find out how they should complete the annual Certification of Compliance required by the NY cyber regulation 23 NYCRR 500. We want to let you know about a clarification we received from the Department of Financial Services (DFS) specific to LLCs.
When filing your annual Certification of Compliance with the DFS as required by the cybersecurity regulation you are asked to report who reviewed the Certification of Compliance – the Board of Directors or Senior Officer(s). Since an LLC typically does not have either we posed the question to the DFS, asking how an agency would properly respond. Here is the DFS response:
“Thanks for your inquiry. Section 500.01(m) defines “Senior Officer(s) as the senior individual or individuals (acting collectively or as a committee) responsible for the management, operations, security, information systems, compliance and/or risk of a Covered Entity, including a branch or agency of a foreign banking organization subject to this Part." Accordingly, Covered Entities will need to do a factual analysis of how this definition applies to their institutions in considering particular circumstance of their business, their data, their systems and their legal relationship to other Covered Entities.
Based on this response from the DFS, LLCs should analyze their operation and would generally check the box for “Senior Officer(s)".
Filing Instructions
Before filing the annual Certification of Compliance you should have already filed for the Limited Exemption (if you qualify). ALL covered entities (with or without the limited exemption) must file the annual Certification of Compliance NO LATER THAN February 15, 2018 (and every February 15 thereafter).
Click here for instructions on how to file the annual Certification of Compliance.
What's Next?
So what's next as far as deadlines for the regulation? Our chart provides a summary and you will see the next deadline is March 1, 2018 for conducting a periodic risk assessment. You should have already completed this when you were preparing your cybersecurity program and policy for the August 28, 2017 deadline, but in the event you did not you have until March 1, 2018 to assess your risk. The regulation is not specific on how to conduct the assessment and you can use any method that will measure your risk. Going forward the regulation says you must conduct “periodic" risk assessments, again not defined, so you can conduct the assessment as “reasonably necessary".