On February 15th, organizations subject to the New York Department of Financial Services Cybersecurity Regulation are required to submit their first annual certification attesting to their compliance with the state’s new data security requirements.
The certification must be signed by the Chairperson of the Board of Directors (on behalf of the Board) or another Senior Officer. A Senior Officer in this context must be the person – or persons - who have responsibility for “the management, operations, security information, systems, compliance and/or risk” of the entity. We previously blogged about the questions involved in deciding who should sign this compliance certification.
Whoever is chosen to sign must attest that he or she has “reviewed documents, reports, certifications and opinions” of “officers, employees, representatives, outside vendors and other individuals as necessary” showing that the entity has been in compliance for the prior year.
Among the requirements the certification covers:
- Designation of a Chief Information Security Officer or CISO
- Implementation of an overall Cybersecurity Program meeting the criteria in the Regulation
- Implementation of Cybersecurity Policies
- Development of an Incident Response Plan
- Limited access privileges to an organization’s IT network
- Use of qualified cybersecurity personnel (either internal or external to the entity) to manage the entity’s risks and to oversee core functions
A template of the certificate, which is shown above, is appended to the Regulation.
The FAQs published by DFS on this Regulation state that each organization must annually certify its compliance and cannot depend on the certification of an affiliate. Moreover, they make clear that a covered entity may not submit a certification if it is not in compliance with all applicable requirements of Part 500 (excluding those which are subject to an ongoing transitional period under 23 NYCRR 500.22 at the time of certification).
Though the certification requires no supporting paperwork or documentation, each organization must maintain for at least five years all records, schedules, and data supporting the certification to be made available for DFS examination upon request. To the extent an organization identifies areas, systems or processes that require material improvement, updating, or remediation, it shall document the identification and efforts underway.
Comparisons have been drawn between the DFS certification and the internal control certification required by Section 302 of the federal Sarbanes-Oxley Act. SOX provides generally that a company’s Chief Executive Officer and Chief Financial Officer are responsible for the accuracy, documentation and submission of financial reports as well as the internal control structure. The comparison seems apt. Both certifications seek to impose accountability, and to ensure the involvement of senior officials in important governance issues.
Within two weeks of filing their annual certification, organizations covered by the Regulation will be required to comply with the second round of the state’s data security requirements. We’ll discuss the March 1st requirements in a future blog post.