The time has come for entities regulated by the New York Department of Financial Services to make their first certification of compliance with the regulator’s cybersecurity rules.

What happened

Last March, the “Cybersecurity Requirements for Financial Services Companies” took effect for banks, insurance companies, money services businesses and other financial services institutions under DFS jurisdiction. The first-in-the-nation regulations generally require covered entities to assess their specific risk profile and design a program that will “ensure the confidentiality, integrity and availability” of the entity’s information systems and “nonpublic information,” including any business-related information, information provided to a covered entity, healthcare information and personally identifiable information.

In addition, covered entities must establish a written cybersecurity policy covering topics ranging from business continuity and disaster recovery planning to physical security and environmental controls to the designation of a chief information security officer, with that officer or another member of senior management obligated to file an annual certification with the DFS that confirms compliance with the regulations.

Now the time has come for the first compliance certification. As of Feb. 15, covered entities need to visit the DFS portal to certify compliance with the regulation for the 2017 calendar year. The certification must be made by the board of directors or a senior officer of the covered entity.

“The DFS compliance certification is a critical governance pillar for the cybersecurity program of all DFS regulated entities,” Maria T. Vullo, superintendent of the DFS, said in a reminder notice about the impending deadline. “DFS’s regulation requires each entity to have an annual review and assessment of the program’s achievements, deficiencies and overall compliance with regulatory standards and the DFS cybersecurity portal will allow the safe and secure reporting of these certifications. DFS’s goal is to prevent cybersecurity attacks, and we therefore will now include cybersecurity in all DFS examinations to ensure that proper cybersecurity governance is being practiced by our regulated entities. As DFS continues to implement its landmark cybersecurity regulation, we will take proactive steps to protect our financial services industry from cyber criminals.”

As part of the incorporation of cybersecurity into all of the DFS regulatory examinations, questions related to the issue will be added to “first day letters,” the notices sent by the regulator to commence its exams for safety and soundness.

To read the DFS reminder and access the portal, click here.

Why it matters

Covered entities should ensure timely compliance filing with the DFS and be prepared for cybersecurity to be a part of examinations by the regulator going forward.