In early 2017, The New York State Department of Financial Services (DFS) released the “Cybersecurity Requirements for Financial Services Companies” with an effective date of March 1, 2017. This is the first state level regulation that mandates financial service firms implement and maintain a robust and ongoing cybersecurity program. It is anticipated that other states will shortly follow New York’s approach and implement similar regulations, partly due to the lack of a national cybersecurity standard. The New York State regulation covers “any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law” in the state of New York. Covered organizations that have fewer than 10 employees (including contractors), less than $5M in gross revenue in each of the last three fiscal years, or less than $10M in year-end total assets are partially exempt from some of the regulation’s requirements.
This regulation applies to a wide range of organization sizes and could be a burden for those organizations that have not already implemented a security program. DFS seems to recognize the disparity in organization size and capabilities and allows each organization to tailor their cybersecurity program based upon their unique risk assessment profile. Despite this ability to tailor the program, there are mandated requirements that all organizations, regardless of size with the exception of the exemption standards, must implement and maintain. Examples of mandatory requirements include designating a qualified Chief Information Security Officer, penetration testing and vulnerability assessments, and establishing a written incident response plan.
The regulation takes a phased approach to allow organizations to comply with the requirements over a two-year period. Below is a breakdown of the individual requirement sections and their respective deadlines.
Organizations that choose to delay complying with these requirements until the end of the phased deadlines will:
- Face an increased workload and cost across a shorter period of time,
- Risk rushing decisions and not implementing thoughtful and practical solutions,
- Risk missing the deadlines and encountering enforcement actions.
Covered firms are required to submit their initial “Certification of Compliance with New York State Department of Financial Services Cybersecurity Regulations” by February 15, 2018 and every year following. This document must be signed by a member of the Board of Directors or the senior most officer if a board does not exist. In the event that the organization has a data breach and DFS finds they have not complied with the regulation requirements, they have the ability to use the superintendent’s full enforcement authority under any applicable laws. Firms subject to this regulation are allowed to enlist the services of a 3rd party security service provider however, they must also designate a senior member of the organization to provide direction and oversight.
To learn more about the “New York State Cybersecurity Requirements for Financial Services Companies,” register for our NY Cyber Security Regulation – How it Impacts You and Your Company Webinar and our How Small and Mid-Sized Organizations Comply with the NY Cybersecurity Regulation Webinar. If you’d like to discuss developing a security program that complies with this new regulation in a cost-effective manner, please feel free to CONTACT US.