NYDFS Cybersecurity Compliance: It Is Not Too Late
In December 2016, the New York State Department of Financial Services (DFS) published cybersecurity regulations designed to protect consumer data and financial systems from the ever-growing threat of cyberattacks. Considered the first in the nation, the proposed regulation went into effect March 1, 2017. It requires covered entities, which include banks, insurance companies, and other financial services institutions regulated by DFS, to establish and maintain a cybersecurity program and ensure compliance with rigorous cybersecurity requirements.
Covered entities were required to submit a certification as to their compliance with the new standards no later than February 15th, 2018.
If your firm missed the deadline, you still can submit the compliance certification via the DFS portal as soon as possible.
DFS will consider a failure to submit a Certification of Compliance as an indicator that the cybersecurity program of the Covered Entity has a substantive deficiency.
If your firm has received a notice of non-compliance from DFS, you need to quickly identify the gaps in your cybersecurity program and controls and then close those gaps to be able to file for compliance. The main areas to focus on for compliance:
- Information Security Governance and Policies
- Data Governance and Classification
- Access Controls and Identity Management
- Cybersecurity Organization
- Incident Response Planning
- Network Infrastructure and Physical Safeguards
- Vendor and Third-Party Service Provider management
- Risk and Vulnerability Management
This has been prepared for information purposes and general guidance only and does not constitute professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is made as to the accuracy or completeness of the information contained in this publication, and CohnReznick LLP, its members, employees and agents accept no liability, and disclaim all responsibility, for the consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.