NYS DFS releases FAQs around cybersecurity regulation

Authored by Phil Schmoyer

Effective March of 2017, the New York State Department of Financial Services’ (NYS DFS) Cybersecurity Regulation (23 NYCRR 50) was implemented for all defined “covered entities.” Since the time of the announcement, there have been various questions around what is considered a “covered entity” and the requirements of these entities. On March 23, 2018, the NYS DFS published a revised frequently asked questions (FAQ) document on their website to provide additional clarity around:

  • definitions,
  • information security board reporting,
  • documentation needing to be submitted with the certification, and
  • evolving the definition of a covered entity to include Health Maintenance Organizations (HMOs) and continuing care retirement communities (CCRCs).

This set of FAQs provides needed guidance to allow entities to properly prepare and comply with the requirements promulgated by 23 NYCRR 50. Baker Tilly has been working with New York domiciled entities in developing compliance programs for covered entities since the announcement of the regulation. For assistance in complying with 23 NYCRR 50, download our NYS DFS cybersecurity readiness checklist.

For more information on this topic, or to learn how Baker Tilly financial services industry specialists can help, contact our team.