Document Retention Aspects of New York Cybersecurity Regulations

The New York Department of Financial Services Cybersecurity Regulations, 23 NYCRR part 500 (the “Cybersecurity Regulations”), require companies subject to the regulations to update their record retention schedule for particular documents mandated by the Cybersecurity Regulations.  In particular, covered entities must have policies and procedures in place for the secure disposal of nonpublic information that comports with other applicable laws and regulations.  Further, they must certify each year that they are in compliance with the Cybersecurity Regulations, and they must retain a copy of the certification, along with “all records, schedules, and data supporting this certificate for a period of five years.”

Implementing this requirement requires understanding the scope of records covered by the Cybersecurity Regulations and understanding the need to retain related records that could have a different retention period.   We have examined this issue already – it may not be as simple as adding a new row to a company’s existing record retention schedule.  We would be happy to help your Company confirm this aspect of complying with the Cybersecurity Regulations. This should be no more than a 2 hour effort, depending on how complex the existing record retention schedule is.  The deadline to complete this was September 4, 2018, so if your Company still needs assistance, there is some urgency.