2019 NY State Department of Financial Services (DFS) Cybersecurity Filing Requirements

By Jeff Aldorisio

Posted on Feb 22, 2019

As of February 15, 2019, all Covered Entities and licensed persons who are not fully exempt from the Regulation were required to submit a Certification of Compliance. The document provides an attestation covering compliance for the 2018 calendar year.

The DFS Certification of Compliance provides critical proof that a regulated entity engages in appropriate governance over its cybersecurity program. While fully exempt entities and persons did not need to submit a certificate, some organizations who filed a Notice of Exemption may only be partially exempt and therefore still require a Certification of Compliance to demonstrate  compliance with the portions of the regulation that apply to them.

As with every newly introduced regulation, organizations tend to put compliance efforts on the back burner until attestation deadlines or audits come up. Are organizations ready for compliance with NY DFS?

Since the initial effective date, DFS has released a Frequently Asked Questions (FAQ) page clarifying several points:

  • First, it expands the definition of Covered Entity to Health Maintenance Organizations (HMOs), continuing care and retirement communities, and not-for-profit mortgage brokers.
  • Second, the FAQ specifically states that a third-party business partner’s “Certification of Compliance with NYSDFS Cybersecurity Requirements” does not constitute due diligence.
  • Third, the FAQ notes that companies not engaging in continuous monitoring must complete a robust Penetration Testing  and vulnerability assessment program in a timely manner since the NY DFS considers them “a crucial component” of a cybersecurity program.
  • Fourth, NYDFS clarified that Covered Entities should report “unsuccessful attacks” when an event triggered measures beyond the ordinary to thwart the attackers enabling  the NYDFS to distribute the information throughout community

Are organizations ready to submit a complete certificate of compliance by February 15, 2019? Let’s consider some of the critical aspects of NY DFS we should address:

  1. Establishment of a Cybersecurity Program
  2. Adoption of a Cybersecurity Policy
  3. Designation of a Chief Information Security Officer
  4. Creation and Implementation of a Risk Management Program for Third-Party Service Providers

Before regulators begin reviewing compliance and assessing fines, you must address all these requirements. Since cybercriminals continuously seek new system, network, and software vulnerabilities, point-in-time audit reports no longer prove cybersecurity. Documenting the continuous monitoring of your data environment and data ecosystem with  real-time visibility into cyber risk is the only way to maintain a robust compliance posture and avoid violation penalties. Taking a proactive rather than reactive approach to cybersecurity and compliance can protect and organization’s data, financial security, and reputation.

No waiting, 100% Free

Get your personalized scorecard today

Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.

Get Your Free Score

Get In Touch

Thank you for contacting us!