DFS-Compliant Cybersecurity Policy for CCRCs

LeadingAge New York is urging lawmakers to support A.1185 (Cahill), legislation that would permit Continuing Care Retirement Communities (CCRCs) to adopt written cybersecurity policies and self-certify that such policies are not inconsistent with the goals of the cybersecurity regulations promulgated by the Department of Financial Services (DFS) in 2017.

DFS's final regulations, effective as of March 1, 2017, require most banks, insurers, and other financial institutions within DFS's regulatory jurisdiction to protect their customer information from cyberattacks. All covered entities are also required to annually certify to DFS that they are complying with the regulations, with the first yearly compliance certification due February 15, 2018. Although CCRCs obtain their certificates of authority from the CCRC Council under Article 46 of the Public Health Law and do not operate under a license, registration, charter, certificate, permit, accreditation, or similar authorization from DFS, the agency clarified in writing for the first time in mid-February 2018 that CCRCs are considered covered entities and are subject to the regulations.

New York's CCRCs are much smaller than most financial institutions and insurers that are subject to these regulations. The average CCRC has a total annual operating budget of approximately $20 million. Unlike banks and most insurers, which transact with thousands of customers—often through e-commerce—CCRCs typically collect funds from only 200 to 400 prospective and existing residents in the form of deposits, entrance fees, and monthly fees. Moreover, as health care providers, CCRCs are already subject to standards for privacy of individually identifiable health information under all applicable laws, including those governing technology, security, and privacy, and corresponding regulations.

Enter your information below to contact your lawmakers, urging them to support A.1185 (Cahill). You can also access LeadingAge NY's memo of support here.

DFS-Compliant Cybersecurity Policy for CCRCs 2025-26 State Budget Materials: View the 2025-26 State Budget materials here.
3 months ago

DFS-Compliant Cybersecurity Policy for CCRCs Public Affairs Council: View resources and updates from LeadingAge New York's new Public Affairs Council here.
2 years ago

DFS-Compliant Cybersecurity Policy for CCRCs Legislative Action Center: View LeadingAge New York's advocacy materials and connect with your lawmakers.

DFS-Compliant Cybersecurity Policy for CCRCs 2025 Advocacy Day: LeadingAge NY's 2025 Advocacy Day will be held on Feb. 4, 2025. Please register as soon as possible – we need your voice in Albany!
6 months ago

DFS-Compliant Cybersecurity Policy for CCRCs Legislative Bulletin: Did you miss an issue of the Legislative Bulletin? Current and past issues are posted here.

DFS-Compliant Cybersecurity Policy for CCRCs Advocacy and Public Policy News: Keep up to date on the latest budgetary, legislative, and political developments in New York State.