New York Department of Financial Services (DFS) has significantly raised the bar for cybersecurity programs, releasing regulations on September 13, 2016 slated to go into effect on January 1, 2017. The regulation will affect all entities with a DFS “license, registration, charter, certificate, permit, accreditation or similar authorization under the banking law, the insurance law or the financial services law.” The regulation requires each entity’s Board of Directors to file an annual certification of compliance with the superintendent of DFS. We recommend that covered entities begin evaluating the requirements and preparing plans, as remediation initiatives may require several months to complete.
Although the topics included in the new regulation are not new, the specific requirements are more stringent than previous regulations. An entity with fewer than 1,000 customers, less than $5,000,000 in gross annual revenue, and less than $10,000,000 in assets at the end of the year is exempt from some of the requirements. However, the grace period is only 180 days (e.g., June 2017), and the new regulations will be included in DFS examinations beginning January 1, 2018.
Based upon our research, New York is the lead state requiring cybersecurity controls to protect the financial industry. We understand that other states have similar initiatives and that the requirements in this pending regulation are being considered at a national level.
Click here to read full article.