Last week, the New York State Department of Financial Services (“DFS”) issued a press release to remind covered entities of an upcoming deadline under the DFS cybersecurity regulations.  The next deadline under the regulations is February 15, 2018 – by that date, any covered entities (hopefully, you know who you are) must submit a statement to DFS certifying compliance with the regulations (excuse me, the landmark, first-in-the-nation regulations).  The certification must be submitted through DFS’ online cybersecurity portal.  A proposed certification of compliance form is attached as Appendix A to the regulations.

The press release also noted that cybersecurity will be incorporated into all future examinations conducted by DFS. Superintendent Maria Vullo stated “DFS’s regulation requires each entity to have an annual review and assessment of the program’s achievements, deficiencies and overall compliance with the regulatory standards” and that by including cybersecurity in future examinations, DFS will help prevent cybersecurity attacks.

Speaking of annual reviews and assessments, another deadline is approaching under the DFS cybersecurity regulations. By March 1, 2018 (the one year anniversary of the regulation), covered entities should submit their annual written report to their boards, governing bodies, or other appropriate individual/committee.   Also by this deadline, covered entities should have in place:

  • Regular cybersecurity awareness training;
  • Continuous monitoring or period penetration testing and vulnerability assessments;
  • Multi-factor authentication controls; and,
  • A process for the completion of written and documented periodic risk assessments of information systems in conformance with written policies and procedures.

Mark your calendars! If you need help meeting these requirements, are looking for assistance with the policies and procedures or training, or if you have any questions, please let the Jackson Lewis Privacy, e-Communications and Data Security Practice Group know.  And, if you need a refresher on any points related to the DFS cybersecurity regulations, here are links to our previous blog posts (excuse me, award-winning blog posts), articles and our webinar which are full of details: