In response to the COVID-19 pandemic, the New York Department of Financial Services (DFS) recently extended by 45 days the deadline for companies to certify compliance with the DFS cybersecurity regulation. The annual certification is now due on June 1, 2020.
In 2018 and 2019, companies covered by the cybersecurity regulation were required to certify their compliance to DFS by February 15. But for 2020, DFS had already pushed the certification deadline back to April 15. DFS did so because 2020 is the first year in which financial institutions must certify that they have complied with each provision of the regulation.
Because of the pervasive business disruption caused by the COVID-19 pandemic, Superintendent Linda Lacewell has pushed the filing deadline back further to June 1. The Superintendent explained that, in light of the state of emergency in New York, the extension is “necessary to assist affected regulated entities and persons to meet their obligations under” the cybersecurity regulation and other applicable laws.
Although the Superintendent extended the time to file the annual certification, her order clarified that the “extensions do not include notices to the Superintendent of a cybersecurity event required pursuant to 23 NYCRR 500.17(a).” Accordingly, companies must continue to notify DFS within 72 hours of a qualifying “Cybersecurity Event.”
We will continue to monitor announcements by DFS and report on them.