Cybersecurity Deadlines Approaching for Banking, Insurance, and Financial Services Companies


By: David A. Cole
Businesses that are subject to the New York Department of Financial Services (“DFS”) cybersecurity regulations should be aware of upcoming compliance deadlines. Don’t be fooled—these regulations may apply to your business even if you’re not located in New York. The DFS cybersecurity regulations broadly apply to any business “operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the [New York] Banking Law, the Insurance Law or the Financials Services Law.” A full description of entities covered is listed on the DFS website.
Earlier this summer, covered entities had to meet an initial deadline requiring them to: (1) designate a Chief Information Security Officer; (2) establish a cybersecurity program; and (3) develop a written cybersecurity policy. Now, DFS has issued a press release to remind covered entities of another upcoming deadline under the cybersecurity regulations. By February 15, 2018, covered entities must submit a statement to DFS certifying their compliance with the regulations.  The certification must be submitted through DFS’ online cybersecurity portal.  A proposed certification of compliance form is attached as Appendix A to the regulations.
In addition, by March 1, 2018 (the one year anniversary of the cybersecurity regulations), covered entities must submit their first annual written report to their boards, governing bodies, or other appropriate individual/committee.   Also by this deadline, covered entities are required to have in place:

  • Regular cybersecurity awareness training;
  • Continuous monitoring or period penetration testing and vulnerability assessments;
  • Multi-factor authentication controls; and,
  • A process for the completion of written and documented periodic risk assessments of information systems in conformance with written policies and procedures.

If you need help meeting these requirements, are looking for assistance with the policies and procedures or training, or if you have any questions, please talk to one of our Data Security, Privacy & Technology attorneys. We are here to help!