My insurance broker client, who sells policies via their e-commerce website, received an email from New York State Department of Financial Services (DFS) asserting a requirement that my client file a "Certification of Compliance" by February 15, 2020.
I've never heard of this before, nor has my client. The entity's website is www.dfs.ny.gov
. I assume we must file as indicated, but I can't tell if this is something required only of businesses incorporated in NY State, which my client's company is not.
I'd be grateful to know if anyone here knows whether whether a response on my client's part is required. Following are the money quotes from the email:
"All regulated entities and licensed persons of the DFS were required to file an annual cybersecurity regulation Certification of Compliance under Part 500. Although you did not file a Certification of Compliance this year, this is an early reminder that one is due by February 15, 2020. If you are compliant with all sections of the Part 500 that apply to you by the end of the year, then please file your Certification in a timely manner. If you do not file a Certification because you were not compliant with Part 500, then please keep appropriate documentation including any remedial plans....
"The Department will consider a failure to submit a Certification of Compliance as an indicator that the cybersecurity program of the Covered Entity has a substantive deficiency. Any current or future deficiencies of Part 500 might lead to penalties including possible fines and prevention of your license renewal."