Filing Deadline Approaching for New York’s Cybersecurity Regulation

February 5, 2018

New York Department of Financial Services Superintendent Maria T. Vullo has reminded all regulated entities and licensed persons covered by the Department of Financial Services’s (DFS) cybersecurity regulation that the first certification of compliance must be filed on or prior to Feb. 15, 2018.

The filing requires a statement to the superintendent covering the prior calendar year and must be filed electronically via the DFS cybersecurity portal.

“The DFS compliance certification is a critical governance pillar for the cybersecurity program of all DFS regulated entities,” said Vullo in a press release issued by DFS. “As DFS continues to implement its landmark cybersecurity regulation, we will take proactive steps to protect our financial services industry from cyber criminals.”

DFS’s cybersecurity regulation requires each entity to have an annual review and assessment of the program’s achievements, deficiencies and overall compliance with regulatory standards, and the DFS cybersecurity portal will allow the safe and secure reporting of these certifications, Vullo added in the release.

Vullo also announced that DFS will now be incorporating cybersecurity in all examinations. This includes adding questions related to cybersecurity to “first day letters,” which are notices the department issues to commence its examinations of financial services companies, including examinations of banks and insurance companies for safety, soundness and market conduct.

New York’s first-in-the-nation cybersecurity regulation became effective March 1, 2017.

As of the first implementation deadline of Aug. 28, 2017, all banks, insurance companies and other financial services institutions and licensees regulated by DFS are required to have a cybersecurity program in place that is designed to protect consumers’ private data; a written policy or policies that are approved by the board or a senior officer; a chief information security officer to help protect data and systems; and controls and plans in place to help ensure the safety and soundness of New York’s financial services industry. Covered entities and licensees must also report cybersecurity events to DFS through the department’s online cybersecurity portal.