The New York Department of Financial Services (NYDFS) issued its first-of-its-kind cybersecurity regulation (23 NYCRR 500) on March 1, 2017. Any covered entity – banks, insurance companies, and other financial services institutions regulated by the DFS – should have already become compliant with phase one of the regulation by August 28.
The NYDFS Cybersecurity Regulation mandates that covered entities submit their first certification no later than February 15, 2018. According to the NYDFS document Cybersecurity Requirements for Financial Services Companies, “Annually each Covered Entity shall submit to the superintendent a written statement covering the prior calendar year […] in such form set forth as Appendix A, certifying that the Covered Entity is in compliance with the requirements set forth in this Part.”
The NYDFS says on its that covered entities that do not fulfill all requirements outlined in Part 500 will not be allowed to submit formal certification. For these companies that are considered not fully compliant, the NYDFS set February 15, 2018 as its hard deadline.
This date is important because, depending on the level of data security your organization has already achieved, compliance with NYCRR 500 can be an onerous task. A business entity will need to achieve certain steps that can include:
- Obtaining senior management enrollment and support
- Appointing appropriate personnel
- Assessing cybersecurity risk
- Implementing controls to mitigate risk and manage data breaches
- Ensuring cybersecurity staff awareness and training is in place
Your organization faces potential litigation if it cannot submit certification
Although there is no set monetary penalty for non-compliance, the NYDFS can take legal action against guilty parties. Under Financial Services Laws 102, 201, 202, 301, 302, and 408, the NYDFS superintendent has the authority to issue civil penalties and impose fines for non-compliance with regulations and false reporting.
Just this year the DFS fined Deutsche Bank $425 million for violating anti-money-laundering laws that involved inadequate precautions to identify compliance issues, including:
- Inaccurate and insufficient documentation
- Weak risk assessment
- Under-resourced staff
- Negligence in detecting, investigating, and intercepting the scheme
The DFS also ordered the bank to engage an independent organization to review its existing programs, policies, and procedures. After selecting the monitoring agency, Deutsche Bank must cooperate with the DFS to investigate the cyber crime and commit to a compliance enhancement program.
Organizations can’t afford to miss the certification deadline
Like a substantial number of organizations, you may have modest cybersecurity measures in place, if any. Don’t let time slip away. Address your company’s NYCRR 500 certification needs as soon as possible. One way is by implementing an information security management system (ISMS) that is ISO 27001-accredited.
ISO 27001 is the international standard that describes best practice for an ISMS. Clauses 4.2 and 4.3 of ISO 27001 mandate that an ISMS meets all legal, regulatory, and contractual requirements, which, by extension, includes the NYDFS Cybersecurity Regulation. IT Governance can help. Visit our NYDFS cybersecurity page to understand the NYDFS cybersecurity requirements, get resources, and learn about covered entities’ obligations.
