As previously warned here, February 15, 2018 is the first annual deadline for individuals and companies licensed or otherwise authorized under the New York Insurance, Banking and Financial Services laws (defined as Covered Entities) to certify compliance with the Cybersecurity Regulation of the New York Department of Financial Services, unless an exemption applies. Covered Entities must certify that for the year ended December 31, 2017 they met the Regulation’s requirements that were operative at that time, meaning the requirements that had a transition date of August 28, 2017. These included the requirement for a Cybersecurity Program, a written Cybersecurity Policy, a Chief Information Security Officer (CISO), restrictions on Access Privileges, certain requirements for Cybersecurity Personnel and Intelligence, an Incident Response Plan, and Notices to the Superintendent of certain cybersecurity events. Certain Covered Entities, including employees of Covered Entities and certain small businesses, are exempt from the certification requirement if they filed an exemption notice.
Just around the corner, the next transition date will make additional requirements of the Regulation operative for Covered Entities, unless they have filed an exemption notice. These requirements include an annual report by the CISO to the Covered Entity’s Board of Directors, requirements for Penetration Testing and Vulnerability Assessments, and the requirement for periodic Risk Assessments.
The requirements of the Regulation, including the exemptions, are described more fully here and here.