1/2/2019

NYS DFS 500: Key Dates in 2019

The New York State Department of Financial Services’ (DFS) mandatory cybersecurity requirements for financial services entities became effective on March 1st, 2017, with a two-year implementation period. Thus, requiring banks, insurers, and other financial institutions to establish and maintain a “risk-based, holistic, and robust security program” that is ultimately designed to protect consumers’ private data.

The regulation requires all DFS regulated entities, subject to certain exemptions, to adopt the core requirements of a cybersecurity program, including a cybersecurity policy, effective access privileges, cybersecurity risk assessments, and training and monitoring for all authorized users, among other requirements. The regulation also requires the establishment of governance processes to ensure senior attention to these important protections. The final effective date for the regulation will be March 1, 2019, by which time, under section 500.11, DFS regulated entities are required to have written policies and procedures that are based on a risk assessment to ensure the security of nonpublic information and information systems that are accessed or held by third party service providers.

Accordingly, by March 1, 2019, all banks, insurance companies, and other financial services institutions and licensees regulated by DFS will be required to have a robust cybersecurity program in place that is designed to protect consumers' private data; a written policy or policies that are approved by the Board of Directors or a Senior Officer; a Chief Information Security Officer to help protect data and systems; and controls and plans in place to help ensure the safety and soundness of New York's financial services industry including encryption and multifactor authentication. The regulation sets forth certain limited exemptions, many of which still require certain cybersecurity programs and practices.

Key Dates for 2019 Cybersecurity Filings

All regulated entities and licensed persons of the New York State Department of Financial Services (DFS) are required to file various notices to the Superintendent.

January 2019 Covered Entities Must File Notices of Exemption
- Exemptions filed in 2017 and 2018 have expired. Any DFS regulated entity or licensed person that is currently entitled to an exemption must file an Initial Notice of Exemption prior to the February 15, 2019 due date for the annual Certification of Compliance.
February 15, 2019 Compliance Certification Filing Deadline
- Regulated entities and licensed persons must file the Certification of Compliance for calendar year 2018 no later than February 15, 2019.

Digital Edge is an expert in ISO standards, is certified by International Standard Organization on Information Security and Quality (ISO 27001). There is a clear crosswalk between DFS law and ISO standards. Digital Edge will help to implement policies, standards and practices to cover all DFS requirements based on International Standards Organization framework.

Contact us today to further explore how our team can provide your business with an unparalleled cybersecurity solution, with our continued focus on Stability, Security, Efficiency and Compliance.

For more information on this regulation and to ensure that your organization is following the critical compliance requirements, please read our most recent articles:

Danielle Johnsen

VP of Compliance

Danielle V. Johnsen joined the Digital Edge team in 2015 as the VP of Compliance. With a passion for information security and organizational compliance, Danielle’s vision is to enable collaboration between 'The Business' and Information Technology, thus creating common objectives and outcomes that benefit the organization, while staying in compliance with all regulatory bodies and companywide policies. Specializing in security frameworks and policies such as: ISO 9001, ISO 27001, NYS DFS 500, NIST, HIPPA, GDPR, PCI, OSPAR, and more!