The first New York State (NYS) Department of Financial Services (DFS) CISO Attestation is due on February 15th.
Last year, the NYS DFS enacted a new cybersecurity regulation that affects all financial companies that conduct business in the State of New York.
The regulation is targeted towards financial companies that conduct business in New York State. A "Covered Entity" means any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law of the State. A company need not be domiciled in the State to be subject to the regulation. (Very similar to how GDPR is set up.)
Financial institutions include banks, money managers, and insurance companies. There are exceptions, but they are quite limited (based on institutional income and employee count). The impact of this regulation is very broad.
In previous articles, I discussed the evolution of the regulation, as well as some of the important milestones that must be achieved in order to achieve compliance with the regulation.
The first milestone date passed back in August, and now, the next important milestone is looming whereby the designated CISO of each financial organization must file the first certification of the organization’s compliance with the regulation.
The regulation includes the letter that must be filled out and filed with the Department of Financial Services. It is a simple, somewhat inelegant form, but it packs a powerful legal punch in that the CISO is attesting that the regulation is being followed. This means that your organization must have implemented the six items required in the first milestone.
The reason why this simple form is so powerful is due to the undefined enforcement powers of the regulation. The exact language states: “This regulation will be enforced by the superintendent pursuant to, and is not intended to limit, the superintendent’s authority under any applicable laws”. To a tech person, those sound like some very broad enforcement powers.
One has to wonder if enforcement will be limited to prevention of a non-compliant business from conducting operations in New York, or perhaps they can be as harsh as those prescribed in the GDPR, which becomes effective in May. Cybersecurity has now gone very mainstream and become very serious.
Now is a good time to review if your organization has stayed on track with the regulation’s milestones. Please also note that the next milestone is March 1st.
Many of us in the InfoSec community anticipated that this new era of cybersecurity regulation was on the way. However, now is not the time for any “I told you so” smugness. Remember, it is our job to guide organizations about how to meet the requirements of these new regulations. Remember, if you are not the CISO, then you are probably responsible for making the CISO’s job easier. Let your expertise lead the way! If you are the CISO, please sign on the line and get that letter to the NYS DFS by February 15th.
