The deadline to comply with the first set of requirements under the new DFS Cybersecurity Regulations (“the Regulations”) is here! By today, August 28, 2017, businesses subject to the Regulations must ensure that they:
- Designate a Chief Information Security Officer (“CISO”)
- Establish a Cybersecurity Program
- Develop a Written Cybersecurity Policy.
We have prepared an article and a webinar to help subject businesses gain a better understanding of this first set of requirements.
As future compliance deadlines approach, we will prepare similar guidance materials. Below, to assist subject businesses to craft their long-term plans, are the future compliance deadlines that the Regulations impose.
| Effective Date | Requirement |
| 8/28/2017 | Cybersecurity Program |
| Cybersecurity Policy | |
| Chief Information Security Officer (CISO) | |
| 2/15/2018 | First Annual Certification by Senior Management or Board of Directors |
| 3/1/2018 | Penetration Testing and Vulnerability Assessments |
| Multi-Factor Authentication | |
| Risk Assessment | |
| Training and Monitoring: Cybersecurity awareness training for all personnel | |
| 9/3/2018 | Audit Trail |
| Application Security | |
| Cybersecurity Personnel and Intelligence | |
| Training and Monitoring: Policies that monitor authorized users/ detect unauthorized access or use of nonpublic information | |
| Encryption of Nonpublic Information | |
| Limitations on Data Retention | |
| 3/1/2019 |
Third Party Service Provider Security Policy
|
NOTE: Certain covered entities are exempt from some of the requirements listed above. Please contact the Jackson Lewis attorney with whom you work to confirm whether your business is exempt.