For the several thousand financial institutions and insurance companies covered by New York’s landmark data security regulation, the first certification of compliance must be filed with the State’s Department of Financial Services in less than a month.
“The DFS compliance certificate is a critical governance pillar for the cybersecurity program of all DFS regulated entities,” said Superintendent Vullo in a press release.
As we discussed in this blog last week, the certification must be signed by the Chairperson of an organization’s Board of Directors (on behalf of the Board) or a Senior Officer(s). The regulation defines Senior Officer as someone with responsibility for “the management, operations, security information, systems, compliance and/or risk” of the entity. We previously blogged about deciding who—the Board of Directors or a Senior Officer—should sign the compliance certification.
The press release also noted that, as of the first implementation deadline of August 28, 2017, all affected organizations “are required” to have the following in place:
Cybersecurity program in place that is designed to protect consumers’ private data;
Written policy or policies that are approved by the Board or a Senior Officer;
Chief Information Security Officer to help protect data and systems; and,
Controls and plans in place to help ensure the safety and soundness of New York’s financial services industry.
The detailed requirements for the first compliance certificate are more fully explained in the regulation.
At the same time, Superintendent Vullo announced that, going forward, DFS will include cybersecurity questions in all DFS examinations.
“DFS’s goal is to prevent cybersecurity attacks, and we therefore will now include cybersecurity in all DFS examination to ensure that proper cybersecurity governance is being practiced by our regulated entities,” she said.
On its web portal, DFS maintains a set of frequently asked questions, which are periodically updated.