The New York Department of Financial Services’ (DFS) controversial and comprehensive cybersecurity regulations were adopted nearly a year ago in March 2017. See 23 NYCRR 500.1, et seq. While implementation has been ongoing, interpretative guidance has been scant at best. The regulations impose various cybersecurity requirements upon New York entities who maintain a license from DFS, referred to as “Covered Entities” in the regulation. Though glaring ambiguities inherent in the regulations remain present, critical implementation dates are quickly approaching.
All Covered Entities are required to submit their first certification of compliance to the Superintendent of DFS under 23 NYCRR 500.17(b) by February 15, 2018. This annual certification is the first official filing by all Covered Entities pursuant to the regulation. Entities which potentially qualified for a Limited Exemption from their first certification (such as employees of Covered Entities or those Covered Entities which do not possess Nonpublic Information) had to do so by September 27, 2017.
Though a Covered Entity must have had the following items completed by August 28, 2017, it is especially prudent for an Entity to have these items in place in anticipation of a potential DFS Audit:
- Cybersecurity program (23 NYCRR 500.02);
- Cybersecurity policy (23 NYCRR 500.03);
- Appointment of a Chief Information Security Officer (CISO) (23 NYCRR 500.04);
- Address access privileges to the Covered Entities’ Information Systems and confidential data (23 NYCRR 500.07);
- CISO must designate personnel within the Covered Entity to address various aspects of the Covered Entity’s cybersecurity and confidentiality systems (23 NYCRR 500.10);
- Covered Entity must formulate and adopt an incident response plan for cybersecurity events (23 NYCRR 500.16);
- Covered Entity is required to notify the Superintendent of cybersecurity events, and prepare an annual assessment (23 NYCRR 500.17).
Further, with March around the corner, all CISOs of Covered Entities must submit a report to DFS, and the Entity must have the following in place by March 1, 2018:
- Penetration testing and vulnerability assessments;
- Risk assessment program;
- Multi-factor authentication to limit access to a Covered Entities’ systems;
- Cyber awareness training for its employees.
As these compliance dates approach, it is imperative that Covered Entities vigilantly adhere both to the timeline and substantive compliance obligations outlined in the regulations.