X
    X
    X
    X

    NY DFS Cybersecurity Compliance Certificate Required Today; Additional Requirements Looming

    Publications

    As previously warned here, February 15, 2018 is the first annual deadline for individuals and companies licensed or otherwise authorized under the New York Insurance, Banking and Financial Services laws (defined as Covered Entities) to certify compliance with the Cybersecurity Regulation of the New York Department of Financial Services, unless an exemption applies.  Covered Entities must certify that for the year ended December 31, 2017 they met the Regulation’s requirements that were operative at that time, meaning the requirements that had a transition date of August 28, 2017.  These included the requirement for a Cybersecurity Program, a written Cybersecurity Policy, a Chief Information Security Officer (CISO), restrictions on Access Privileges, certain requirements for Cybersecurity Personnel and Intelligence, an Incident Response Plan, and Notices to the Superintendent of certain cybersecurity events.  Certain Covered Entities, including employees of Covered Entities and certain small businesses, are exempt from the certification requirement if they filed an exemption notice.

    Just around the corner, the next transition date will make additional requirements of the Regulation operative for Covered Entities, unless they have filed an exemption notice.  These requirements include an annual report by the CISO to the Covered Entity’s Board of Directors, requirements for Penetration Testing and Vulnerability Assessments, and the requirement for periodic Risk Assessments.

    The requirements of the Regulation, including the exemptions, are described more fully here and here.

    Explore Additional Topics

    Disclaimer

    Please understand that your communications with Locke Lord LLP through this website do not constitute or create an attorney-client relationship with Locke Lord LLP. Any information you send to Locke Lord LLP through this website is on a non-confidential and non-privileged basis. Therefore, do not send or include any information in your email that you consider to be confidential or privileged.