Posted on Feb 22, 2019
As of February 15, 2019, all Covered Entities and licensed persons who are not fully exempt from the Regulation were required to submit a Certification of Compliance. The document provides an attestation covering compliance for the 2018 calendar year.
The DFS Certification of Compliance provides critical proof that a regulated entity engages in appropriate governance over its cybersecurity program. While fully exempt entities and persons did not need to submit a certificate, some organizations who filed a Notice of Exemption may only be partially exempt and therefore still require a Certification of Compliance to demonstrate compliance with the portions of the regulation that apply to them.
As with every newly introduced regulation, organizations tend to put compliance efforts on the back burner until attestation deadlines or audits come up. Are organizations ready for compliance with NY DFS?
Since the initial effective date, DFS has released a Frequently Asked Questions (FAQ) page clarifying several points:
Are organizations ready to submit a complete certificate of compliance by February 15, 2019? Let’s consider some of the critical aspects of NY DFS we should address:
Before regulators begin reviewing compliance and assessing fines, you must address all these requirements. Since cybercriminals continuously seek new system, network, and software vulnerabilities, point-in-time audit reports no longer prove cybersecurity. Documenting the continuous monitoring of your data environment and data ecosystem with real-time visibility into cyber risk is the only way to maintain a robust compliance posture and avoid violation penalties. Taking a proactive rather than reactive approach to cybersecurity and compliance can protect and organization’s data, financial security, and reputation.
With hackers finding new ways to attack third-parties in hopes of infecting a larger organization, the third-party ecosystem is more fragile than ever before.
The purpose of IT security risk assessment is to determine security risks to your company’s critical assets, and how much funding and effort should be used in their protection. Get started with SecurityScorecard’s step-by-step guide to managing your cyber risk.
No waiting, 100% Free
Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.