Data Protection Report - Norton Rose Fulbright

February 15, 2018, is quickly approaching and any entity subject to New York’s cybersecurity regulation (23 NYCRR Part 500) must file its first annual certification of compliance with the New York State Department of Financial Services (DFS) by that date. New York imposes cybersecurity requirements on all entities (covered entities) subject to the jurisdiction of the DFS, which include not only banks and insurers, but also any persons regulated by the DFS, including the newest DFS licensees, those engaged in virtual currency business activity.

Covered entities are required annually to submit a certification to the DFS covering the prior calendar year, certifying that the covered entity is in compliance with the regulation’s requirements. For the first certification due February 15, the certification need only cover a subset of the total items with which a covered entity must comply, including the baseline requirements that the covered entity have a cybersecurity program, cybersecurity policies and procedures, an incident response plan, and a chief information security officer. Compliance with the remaining requirements such as implementing multi-factor authentication, conducting annual penetration testing and vulnerability assessments, and  implementing a third party service provider security policy, will  be added into next year’s certification.

The certification must be signed by a senior officer or the chair of the board of the covered entity, and may not be submitted unless it is in compliance with the relevant requirements. The DFS also requires that each entity must file an annual certification of its own compliance; it cannot be filed by an affiliate on behalf of the covered entity.

The certificate is to be submitted electronically at the DFS Web Portal. Entities are not required to submit explanatory or additional materials with the certification, but the DFS expects entities to maintain records sufficient to support the certification. Similarly, if the entity has identified areas, processes or systems that require material improvement, redesign or updating, then the entity must document its efforts and maintain those records for inspection by the DFS.

Failure to file the certification in accordance with the regulation subjects the covered entity to enforcement action by the DFS, including possible civil penalties.

The DFS has issued additional guidance on compliance with the regulation.

* * *

To subscribe to posts from Data Protection Report, please click here.