DFS Cyber Regulation Countdown: Who Should Certify Compliance?
Companies subject to New York’s Department of Financial Services (DFS) new cybersecurity regulation should be preparing to comply with the first round of requirements by the upcoming August 28th deadline: enacting a cybersecurity program and policies, implementing user access privileges, designating a Chief Information Security Officer (CISO), employing qualified personnel, and implementing an incident response plan.
But covered companies should also be thinking ahead to February 15, 2018, the date on which they must file an annual certification with the DFS attesting to compliance with the regulation. To do so, companies are required to file a signed attestation certifying compliance with the regulation for the prior year.
Although the regulation itself does not specifically identify who must sign the annual certification, the “form” appended to the regulation provides that either the “Board of Directors” or “Senior Officer(s)” must sign. And whoever signs the certification must have “reviewed documents, reports, certifications and opinions” of “officers, employees, representatives, outside vendors and other individuals as necessary.”
Each option—board of directors or senior officer—raises different issues. The board of directors already must receive “at least annually” a report from the CISO about the company’s cybersecurity program. But the regulation itself is highly detailed, and the DFS form requires the “Board of Directors,” not a member of the Board of Directors, to attest to compliance. This suggests a potentially time consuming process within the context of a board’s oversight responsibilities.
Having a senior officer attest to compliance might be logistically easier. Presumably, a member of senior management is charged with overseeing the company’s cybersecurity policies, and could more easily certify compliance. However, the regulation’s definition of “Senior Officer(s)” is less than clear: the “individual or individuals” must be “responsible for management, operations, security information, systems, compliance and/or risk” of the company. If, for example, one officer is charged with managing “risk” for the company, and another with the company’s “information systems,” multiple senior officers might need to sign the certificate of compliance. And the number of senior officers required to attest to compliance could be even greater with large institutions.
There is no “right” answer to this question. Companies will need to evaluate the best way to address the certification issue based on their particular circumstances. And they will need to do so soon.