Data Security Law Blog

New York’s DFS Cyber Deadlines Loom

It’s a marathon month for the thousands of financial institutions and insurance companies covered by New York’s landmark cybersecurity regulation. In little more than a week, these businesses must file their second annual certification of compliance with the State’s Department of Financial Services. Two weeks later, they must also come into compliance with the regulation’s third-party vendor requirements, the final milestone in the two-year roll out of the cybersecurity regulation.

Late last week, outgoing DFS Superintendent Maria T. Vullo issued a “reminder” that the second annual certification must be filed via the DFS cybersecurity portal on or before February 15, 2019, and that by March 1, 2019, businesses using third-party vendors must adopt policies and procedures governing the way outsiders access the company’s network and sensitive information.  We previously blogged about the third-party requirements.

Superintendent Vullo’s press release also noted that, as of March 1, 2019, each DFS-regulated business must have in place the following, many of which are from earlier DFS implementation deadlines:

  • A cybersecurity program designed to protect consumers’ private data;
  • Written cybersecurity policies approved by the board or a senior officer;
  • A Chief Information Security Officer (CISO) to help protect data and systems and to enforce the requirements of the regulation within their own institution;
  • Policies and procedures governing third-party providers; and
  • Controls and plans to help ensure the safety and soundness of New York’s financial services industry.

“With the deadline for final implementation nearing,” said Superintendent Vullo, “[a]ll DFS-regulated institutions should now have in place a comprehensive risk-based cybersecurity program and adequate controls to protect their information systems, with senior-level attention to these protections.”

With the end of the implementation period now in sight, some are beginning to consider the possibility that enforcement actions might follow. While DFS has not brought many major cyber enforcement actions to date, regulators may be inclined to begin testing the waters to see how businesses have implemented the regulation’s requirements. We’ll continue to report on all DFS cyber major developments.