The deadline to comply with the first set of requirements under the new DFS Cybersecurity Regulations (“the Regulations”) is here! By today, August 28, 2017, businesses subject to the Regulations must ensure that they:

  1. Designate a Chief Information Security Officer (“CISO”)
  2. Establish a Cybersecurity Program
  3. Develop a Written Cybersecurity Policy.

We have prepared an article and a webinar to help subject businesses gain a better understanding of this first set of requirements. 

As future compliance deadlines approach, we will prepare similar guidance materials. Below, to assist subject businesses to craft their long-term plans, are the future compliance deadlines that the Regulations impose.

Effective Date Requirement
8/28/2017 Cybersecurity Program
Cybersecurity Policy
Chief Information Security Officer (CISO)
2/15/2018 First Annual Certification by Senior Management or Board of Directors
3/1/2018 Penetration Testing and Vulnerability Assessments
  Multi-Factor Authentication
Risk Assessment
Training and Monitoring: Cybersecurity awareness training for all personnel
9/3/2018 Audit Trail
Application Security
Cybersecurity Personnel and Intelligence
Training and Monitoring: Policies that monitor authorized users/ detect unauthorized access or use of nonpublic information
Encryption of Nonpublic Information
Limitations on Data Retention
3/1/2019 Third Party Service Provider Security Policy


NOTE: Certain covered entities are exempt from some of the requirements listed above. Please contact the Jackson Lewis attorney with whom you work to confirm whether your business is exempt.