Upcoming Deadlines for Covered Entities Subject to NYS DFS Cybersecurity Regulations
Last week, the New York State Department of Financial Services (“DFS”) issued a press release to remind covered entities of an upcoming deadline under the DFS cybersecurity regulations. The next deadline under the regulations is February 15, 2018 – by that date, any covered entities (hopefully, you know who you are) must submit a statement to DFS certifying compliance with the regulations (excuse me, the landmark, first-in-the-nation regulations). The certification must be submitted through DFS’ online cybersecurity portal. A proposed certification of compliance form is attached as Appendix A to the regulations.
The press release also noted that cybersecurity will be incorporated into all future examinations conducted by DFS. Superintendent Maria Vullo stated “DFS’s regulation requires each entity to have an annual review and assessment of the program’s achievements, deficiencies and overall compliance with the regulatory standards” and that by including cybersecurity in future examinations, DFS will help prevent cybersecurity attacks.
Speaking of annual reviews and assessments, another deadline is approaching under the DFS cybersecurity regulations. By March 1, 2018 (the one year anniversary of the regulation), covered entities should submit their annual written report to their boards, governing bodies, or other appropriate individual/committee. Also by this deadline, covered entities should have in place:
- Regular cybersecurity awareness training;
- Continuous monitoring or period penetration testing and vulnerability assessments;
- Multi-factor authentication controls; and,
- A process for the completion of written and documented periodic risk assessments of information systems in conformance with written policies and procedures.