Feb. 15 Deadline Looms for NY’s Banking, Insurance and Financial Services IndustriesJanuary 31, 2018 | Shari Claire Lewis | | |
New York based bank, insurance and financial service businesses face a February 15, 2018 deadline to submit their compliance certification to the State’s Department of Financial Services (DFS).
New York’s Cybersecurity Regulation (23 NYCRR Part 500) was issued by DFS last March – the first such state regulation in the nation. The Regulation includes various deadlines by which “Covered Entities” are required to assess and reduce the risk of a cyber-attack and to respond if a breach occurs. The next deadline, on February 15, requires “Covered Entities” to submit their first compliance certification to DFS. Additional, and potentially more rigorous deadlines for compliance, follow on March 1, 2018. For a list of deadlines under the Regulation, click here: http://www.dfs.ny.gov/about/cybersecurity.htm.
Who is affected by New York’s cybersecurity regulation?
Under § 500.01, a Covered Entity means “any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, Insurance Law or Financial Services Law.” A “Person” includes any individual or non-governmental entity, such as partnerships, corporations, agencies, branches or associations. However, the regulation generally exempts organizations with fewer than:
a) 10 employees
b) gross revenue of $5 million in each of the past three years or
c) $10 million in year-end total assets in the prior fiscal year.
Any qualifying Covered Entity is required to undertake a cybersecurity program that includes risk assessment, (such as penetration testing, vulnerability assessment and third-party vendor provider analysis), implementation of security upgrades (such as multiple factor authentication, access limitations and encryption of non-public information) and preparation for a cybersecurity event (such as a written Incident Response Plan). The requirements are set forth in the Cybersecurity Regulation which may be found in its entirety here.
What is required by the February 15, 2018 deadline?
Section 500.17(b) requires that a Covered Entity submit its first annual certification under the Regulation by February 15, 2018. A sample form certification included as Appendix A is provided at the end of the Cybersecurity Regulation and is available at the link above.
An entity is required to be registered with DFS and file through the DFS Portal. Portal filing instructions may be found at http://www.dfs.ny.gov/portal.htm. Although supporting documentation must be kept in case of an audit, only the certification must be filed.
In essence, the certification states that the Covered Entities’ board of directors has reviewed the necessary documents and reports and, to the best of the board’s knowledge, the entity has complied with New York’s Cybersecurity Regulation. Importantly, the compliance requirements in this first year after the Regulation’s rollout apply only to those aspects of the Regulation whose deadlines terminated prior to February 15, 2018. Subsequent certifications will certify compliance with deadlines that occur thereafter, so that, for example, an entity’s compliance with requirements with the upcoming March 1, 2018 deadline need not be certified until February 15, 2019, and full compliance will not be required to be certified until February 2020. http://www.dfs.ny.gov/about/cybersecurity_faqs.htm, see FAQ 20.
What is required by the March 1, 2018 deadline?
NYS’ Cybersecurity Regulation allows for a two-year “transitional period” for full compliance with all aspects of the regulation. Under § 500.22(b)(1), covered entities have one year from the Regulation’s effective date (March 1, 2017) to comply with certain provisions:
- appointment of a chief information security officer (§500.05(b))
- first annual penetration testing and bi-annual vulnerability assessment (§ 500.05)
- risk assessment pursuant to a written policy and protocol (§ 500.09)
- multifactor authentication (§ 500.12) and
- provision of “regular” cybersecurity awareness and training to personnel (§ 500.14(b).
Notably, it appears that in the transitional period, DFS may not require that all of these events occur prior to March 1, 2018. Rather, the Covered Entity must show that it has created a cybersecurity program that includes a plan as to how it will comply with the requirements in the near future. For example, DFS’ FAQs state that the first annual penetration testing and vulnerability assessment need not be completed by March 1, 2018, but that a plan to do so must be in place by that date. DFS cautions that it “expects all institutions with no continuous monitoring to complete robust Penetration Testing and vulnerability assessment in a timely manner as they are a crucial component to a cybersecurity program.” http://www.dfs.ny.gov/about/cybersecurity_faqs.htm, see FAQ 1.
As this is a newly enacted regulation, we await further guidance from DFS as to whether they will interpret the remaining March 1 compliance deadlines in a similar fashion.
The NYS Cybersecurity Regulation establishes cybersecurity requirements that will continue to roll out in the next year. It also formalizes a truism that we have learned the hard way: Cybersecurity needs to be addressed proactively by a coalition of c-suite, information-technology and legal professionals.