The New York DFS has issued a “consensus [notice of proposed] rule making to amend section 500.17 and Appendix A of Title 23 NYCRR.” To amend the date by which Covered Entities must submit a certification of compliance, from February to April. This is the cybersecurity requirements for financial services companies.
As noted in the NPR:
“This proposed rulemaking makes only a technical change, specifically changing from February to April the date by which certificates of compliance required to be submitted to the Department under Part 500 are to be received. As this has no impact on the substantive requirements under Part 500 and merely changes the date on which certifications must be received, and gives Covered Entities more, rather than less time, no person is likely to object to the adoption of this amendment.
“Accordingly, this rulemaking is determined to be a consensus rulemaking, as defined in State Administrative Procedure Act (“SAPA”) § 102( 11 ), and is proposed pursuant to SAPA § 202(l)(b)(i). Therefore, this rulemaking is exempt from the requirement to file a Regulatory Impact Statement, Regulatory Flexibility Analysis for Small Businesses and Local Governments, or a Rural Area Flexibility Analysis.”
Eric J. Ellman is Senior Vice President for Public Policy and Legal Affairs at the Consumer Data Industry Association (CDIA) in Washington, DC. He also served for eight months as Interim President and CEO of the Association. More