On February 13, 2017, the New York State Department of Financial Services (“DFS”) adopted final regulations concerning cybersecurity requirements for financial services companies. The regulations took effect on March 1, 2017.
The DFS first issued the proposed regulations in September 2016. After a 45-day comment period, the DFS published updated proposed regulations in December 2016 and allowed 30 additional days for comments. The regulations, as drafted, would have applied to charitable organizations holding special permits to issue gift annuities in New York State. The regulations would have required charitable organizations issuing gift annuities to appoint a Chief Information Security Officer, or hire a third party to fulfill this duty, implement a written cybersecurity policy, develop a plan for disposal of nonpublic information, and conduct periodic risk assessments. Entities which failed to meet these extensive requirements would face undefined penalties. Most issuers of gift annuities outsource administration to banks or trust companies, which are themselves subject to the regulations. Requiring compliance from the charitable sector would create a redundancy.
The final regulations contain an exemption for charitable organizations holding special permits to issue gift annuities. Most charitable organizations would have qualified for a limited exception under the proposed regulations, but would have been forced to comply with several requirements, and issue a notice of their exemption to the DFS. The final version of the regulations totally exempts charitable organizations holding a special permit. Moreover, the exemption is self-executing; charitable organizations are not required to send notice to the DFS.
In conversations between representatives of the American Council on Gift Annuities and the DFS, the agency indicated it was surprised to learn of the proposed regulations' effect on charitable organizations. The submission of public comments and phone calls by the ACGA and others helped educate the DFS about the burdensome impact of the regulations. The final version of the regulations demonstrates the effectiveness of these outreach efforts.