The DFS Effect: Cyber Meets Sarbanes Oxley
Today, financial institutions with ties to New York are spending their Valentine’s Day learning how to use the New York State Department of Financial Services (DFS) web portal.
Almost a year ago, the DFS unveiled one of the most aggressive efforts in the nation to crack down on cybercrime in the banking and insurance industries. And by tomorrow, more than 3,000 firms are required to file through the agency’s online portal their first ever compliance certificate, swearing that their organization has satisfied the first phase of requirements under the state’s new cybersecurity regulation.
There’s a similarity between the new DFS certification and the internal control certification required by Section 302 of the federal Sarbanes-Oxley Act (SOX). SOX requires that a company’s Chief Executive Officer and Chief Financial Officer sign-off on the accuracy, documentation and submission of financial reports, as well as the company’s internal control structure. Both drive accountability and elevate risk oversight to the most senior levels of corporate America.
Likewise, the DFS certification – which must be signed by either the Board Chair or a senior officer – attests to two things: First, that the individual signing the certificate has done enough diligence to get comfortable with the organization’s compliance process. As we’ve blogged about recently, whomever signs the certification must attest to the review of “documents, reports, certification and opinions” of “officers, employees, representatives, outside vendors and other individuals as necessary.”
Second, the certification requires a “best of knowledge” representation that the organization is in compliance with the applicable provisions of the regulation. Below, we reprint a copy of the certification:
The certification covers the first round of requirements under the regulation including:
- Designation of a Chief Information Security Officer (CISO)
- Implementation of an overall Cybersecurity Program meeting the criteria in the Regulation
- Implementation of Cybersecurity Policies
- Development of an Incident Response Plan
- Limited access privileges to an organization’s IT network
- Use of qualified cybersecurity personnel (either internal or external to the entity) to manage the entity’s risks and to oversee core functions
And once the certification is electronically filed with DFS by tomorrow’s deadline, banks and insurers must turn to the second round of regulation’s requirements, which must be completed by March 1st. We’ll cover those requirements in a future blog post.