February 15, 2018 Compliance Certification Filing Deadline is Approaching for Covered Entities under New York’s Landmark Cybersecurity Regulation
Covered Entities Must Submit a Statement of Compliance to the Superintendent of Financial Services for Prior Calendar Year
DFS Has Also Added Cybersecurity Questions to “First Day Letters” Issued in Connection with Examinations of Institutions
Financial Services Superintendent Maria T. Vullo today reminded all regulated entities and licensed persons covered by the Department of Financial Services’s (DFS) landmark cybersecurity regulation that the first certification of compliance requiring a statement to the Superintendent covering the prior calendar year must be filed electronically via the DFS cybersecurity portal on or prior to February 15, 2018. Superintendent Vullo also took the opportunity to announce that DFS will now be incorporating cybersecurity in all examinations, including adding questions related to cybersecurity to “first day letters,” which are notices the Department issues to commence its examinations of financial services companies, including examinations of banks and insurance companies for safety and soundness and market conduct.
“The DFS compliance certification is a critical governance pillar for the cybersecurity program of all DFS regulated entities,” said Superintendent Vullo. “DFS’s regulation requires each entity to have an annual review and assessment of the program’s achievements, deficiencies and overall compliance with regulatory standards and the DFS cybersecurity portal will allow the safe and secure reporting of these certifications. DFS’s goal is to prevent cybersecurity attacks, and we therefore will now include cybersecurity in all DFS examinations to ensure that proper cybersecurity governance is being practiced by our regulated entities. As DFS continues to implement its landmark cybersecurity regulation, we will take proactive steps to protect our financial services industry from cyber criminals.”
New York’s first-in-the-nation cybersecurity regulation became effective March 1, 2017. As of the first implementation deadline of August 28, 2017, all banks, insurance companies, and other financial services institutions and licensees regulated by DFS are required to have a cybersecurity program in place that is designed to protect consumers’ private data; a written policy or policies that are approved by the board or a senior officer; a Chief Information Security Officer to help protect data and systems; and controls and plans in place to help ensure the safety and soundness of New York’s financial services industry. Covered entities and licensees must also report cybersecurity events to DFS through the Department’s secure online cybersecurity portal.