Cybersecurity Compliance Deadlines Loom
Earlier this year, the New York State Department of Financial Services laid out new cybersecurity requirements for financial services companies.
These rules took effect on March 1 and established an array of “regulatory minimum standards” that companies must now meet. When all is said and done, financial services companies will be required to annually certify compliance and report cybersecurity events directly to the department, appoint a chief information security officer (CISO), conduct periodic risk assessments, create and periodically review an incident response plan and maintain audit trails for set periods (5 years for financial transactions for example).
NYDFS set a series of rolling deadlines for companies to become compliant with these new standards. The first of these deadlines, Aug. 28, is imminent.
Recently, law firm Baker Hostetler presented a comprehensive webinar breaking down what’s required of at each step. Here’s a quick rundown of what companies need to know.
Who Has to Comply?
The new regulations affect any organization operating under or required to “operate under DFS licensure, registration or charter, or which are otherwise DFS-regulated, as well as, by extension, unregulated third-party service providers to regulated entities.” These include NYDFS licensees and their affiliates (trust companies, mortgage companies, insurance companies, etc.), New York branch offices, business partners and counterparties.
Charitable annuity societies, non-NY risk retention groups and reinsurers are exempt, as are companies with fewer than 10 employees, less than $5 million in gross annual revenue for three years or less than $10 million in year-end total assets. Companies with limited operations in New York, captive insurance companies and any company that doesn’t use information systems or access nonpublic information (NPI) will receive lesser exemptions.
August 28 Deadline
By this date, independent of any current measures in place, financial service companies must:
- Designate a CISO;
- Ensure that qualified cybersecurity personnel are in place;
- Establish a written incident response plan and cybersecurity policy that must be approved by a senior officer;
- Begin using defensive infrastructure and limiting access to NPI; and
- Start reporting cybersecurity events to NYDFS.
With only a handful of weeks before this deadline, there isn’t a great deal of time left for companies to meet these goals if they haven’t started putting them into motion. So, perhaps projecting out to what will be required at the next deadline, March 1, 2018, will be more helpful.
March 1, 2018 Deadline
By this date financial services companies must:
- Conduct a thorough risk assessment and have the CISO report directly to the board;
- Have employees undergo specific training;
- Begin using multi-factor authentication; and
- Start conducting continuous monitoring or annual penetration testing and bi-annual vulnerability assessments.
Of these requirements, the risk assessment deserves specific attention. Since it’s a keystone element of several of the other requirements that must be met during this period, its individual deadline is effectively much earlier than March 1. It will, after all, be difficult to begin establishing cybersecurity based on a risk assessment before actually performing one. And all of these things take time.
Beyond these individual steps, Melinda McLellan, partner at BakerHostetler, stressed the need for the CISO to have broad access to company records. “They will need to know exactly what the company has done so they can properly certify,” she said.
Indeed, there are potential reporting difficulties that could lie ahead and companies need to “show-don’t tell” regulators they are in compliance. A cybersecurity program can’t just exist in the CISO’s head, it has to be memorialized somehow.
According to BakerHostetler Partner Craig Hoffman, companies need to consider, “How are we going to prove compliance beyond just letting agencies interview our people?”
Author: David H. Lenok
Hong Kong Watchdog Issues Record HK$15.2 Million Fine To Chinese Broker Over Failure To Report Money Laundering
The Securities and Futures Commission, Hong Kong’s securities watchdog, has fined mainland Chinese state-owned firm Guosen Securities (HK) Brokerage a record HK$15.2 million (US$1.9 million) for failure to report money-laundering activity, it said on Monday. An...
With Brexit fast approaching, there are growing worries surrounding the U.K.’s financial and economic well-being after leaving the safety blanket of the European Union. Among fears of the U.K. heading towards economic turmoil, we must also consider the real threat...
The RCMP has filed charges against 17 people accused of taking part in a multi-million-dollar money-laundering scheme. Police arrested 14 people on Monday in the Montreal and Toronto area, but three suspects are still at large. According to the RCMP, members of the...