The New York DFS Wants Certificates of Compliance for Valentine’s Day

By Scott Lyon | January 31, 2018

What were you planning to give the New York Department of Financial Services for Valentine’s Day? Hopefully, a certificate of compliance.

It is hard to believe that almost a year has passed since the NYDFS cybersecurity regulations (Cyber Rules) became partially effective on February 15, 2017. As the anniversary approaches, there are still two weeks left before the filing deadline if you have not already completed your 2017 requirements.

As a reminder, organizations that qualified for a limited exemption to the Cyber Rules had to file a notice of exemption on or before October 1, 2017. Remember, the limited exemptions lightened some of the cybersecurity obligations. For example, exempt organizations did not need to adopt an incident response program or submit to annual penetration testing. Several of the other requirements, such as adopting a formal cybersecurity program, must still be completed and certified.

For everyone else, here is a brief overview of what needs to be done before February 15, 2018:

Risk Assessment

The starting point for any cybersecurity program is the initial risk assessment: taking inventory of the critical assets of your organization, identifying threats to those assets, prioritizing those threats and developing mitigation strategies. The Cyber Rules require this assessment to be repeated periodically as appropriate, particularly in circumstances where there is a substantial change in the organization’s infrastructure, such as the relocation of a data center or expansion of operations into a new jurisdiction.

If you haven’t finished your risk assessment yet, you will probably have a very busy two weeks. If you have completed this task, do not rest easy. Now is a good time to put a reminder on your calendar to review the assessment in six months for potential changes.

Cybersecurity Program

Based on the risk assessment, your organization should commit its cybersecurity program to paper, consisting of a collection of policies focused on the various needs identified in the Cyber Rules.

The program should focus on protecting the confidentiality, integrity and availability of the organization’s information assets, utilizing administrative, technical and physical controls. A copy of the policies and program documents must be available for inspection at the request of the DFS superintendent.

Access Restrictions

The Cyber Rules state that organizations “shall limit user access privileges to information systems that provide access to nonpublic information and shall periodically review such access privileges.”

In practical terms, this means that not every user in your organization’s environment should have access to all nonpublic information. They should only have the access rights and privileges necessary to perform their duties. If your current access controls are “flat and wide,” meaning everyone has the same rights and privileges and nothing is restricted, you should reassess your current policies.

Security Personnel

While DFS did not require licensees to hire new cybersecurity personnel, the Cyber Rules do mandate that organizations obtain the necessary expertise, whether through their own employees or qualified third party service providers.

Consequently, your organization must ensure it has adequately staffed its security program to fulfill all of the commitments made in the program documents.

Designate a CISO

As above, though DFS is not compelling any licensee to hire a new chief information security officer (CISO), your organization does need to designate someone, either internally or a third party service provider, who will assume responsibility for managing the organization’s security program and reporting at least annually to the organization’s key stakeholders.

While it may be tempting to simply add this job title to someone already in the C-Suite, the CISO must be qualified in this specialized field, and you should be prepared to defend his or her qualifications if DFS inquires.

Incident Response Plan

If your organization were to suffer a security incident today, who would receive the first telephone call or email? How are security incidents tracked internally? Who in the organization determines when a security incident qualifies as a reportable breach? Who is in charge of mitigating and recovering from the incident?

The answers to these questions should be found in your organization’s incident response plan. A fully documented plan is an invaluable tool when an incident is discovered and response time is short. A copy should be readily available in case the DFS Superintendent asks to review it.

Next Steps

Once you file your certificate of compliance, there is still much work to be done. Beginning March 1, 2018, your organization’s CISO must report at least annually to the key stakeholders in your organization on the strengths, weaknesses, past performance and future objectives of your security program.

Unless you qualified for a limited exemption, you will also need to submit to annual penetration testing, in which security professionals actively test whether they can hack you by penetrating your organization’s security defenses. Additionally, you will need to perform bi-annual vulnerability assessments and actively train all organization personnel on security awareness and best practices, similar to the harassment training many organizations already currently perform.

As if you did not already have enough on your plate, there are additional requirements triggering in September 2018. Organizations, yours included, must create and implement policies for retention and disposal of nonpublic information, which will require many companies to take a long, hard look at their current data management and archiving policies.

Businesses will also be required to implement audit trails so security incidents can be detected and responded to quickly and material financial transactions can be reconstructed in the event of data destruction.

Finally, organizations should actively monitor authorized users so they can identify anomalous behavior, as well as implement encryption or other commensurate controls to protect the confidentiality and integrity of data in transit and at rest. If your organization needs assistance satisfying any of the requirements above, qualified cybersecurity counsel should be consulted.


About Scott Lyon

Scott Lyon is a partner at Michelman & Robinson, LLP, a national law firm with offices in Los Angeles, Orange County (California), San Francisco, Chicago and New York City. As member of M&R's Intellectual Property Practice, Lyon helps clients evaluate and implement effective information security practices. Likewise, he provides advice on best practices in the event of data breaches.

Was this article valuable?

Here are more articles you may enjoy.