Not In Compliance With NYDFS’s Cybersecurity Regulations? Helpful Guidance From HLC On What To Do Now.
You have been busy. Your company has clients to service and business to win. Maybe you were vaguely aware of the New York State Department of Financial Services’ (“NYSDFS”) cybersecurity regulation that went into effect last March but now the deadline has passed for filing the cybersecurity annual certification and you did not submit. Not only that, but maybe you didn’t do anything to comply. Of course, there is also the reminder you recently received from New York State underscoring your non-compliance….
The first step is obvious: deflect blame. Target prospects include anyone from your organization, your vendors, politicians, lawyers (obligatory), and New York State itself.
If you have already received the notice, then it is likely that you need to comply. There has been some confusion about the need for individuals to comply versus firms, since the requirements apply to both. Covered companies may comply on behalf of affiliates, subsidiaries, employees, and contracted individuals (e.g., registered representatives) but may not comply on behalf of third party providers that are entities. This means that third party providers who are regulated by NYSDFS may still be subject to the regulations even if they have employees who are in compliance through the information security program of another Covered Entity.
Another important point to remember is that it does not matter if you are located out of state. If your firm must register with the NYSDFS to conduct covered businesses within New York, then you must comply with the regulations.
Is My Business Partially Exempt?
After you have determined that you are subject to the regulation, the next question you need to ask is whether you are eligible to file for a partial exemption (which you may also be delinquent on…sorry). If you are, then you only must comply with the major requirements indicated by the red boxes below. If you are not, then red and blue are your colors.
Partial exemptions are available if your firm: (i) has less than ten employees and contractors; (ii) less than $5mm in gross annual revenues; (iii) less than $10mm in year-end total assets; OR (iv) if your firm effectively has nothing to do with Nonpublic Information, as defined in the regulations.
If you know you are covered by the law, qualify for an exemption and have not filed, then you should do so now. Log in here:
https://myportal.dfs.ny.gov/web/cybersecurity and file now…I’ll wait.
Whether or not you are exempt, the next step is to start to comply and first step there is to get an information security risk assessment done. This is not a DIY project unless you have in house information security professionals. You should hire an experienced cyber security assessment firm to assist. In addition, if you are not partially exempt, you will need to ensure that a vulnerability scan and penetration test is done on your systems. Even if you are not partially exempt, you should perform vulnerability scanning and penetration testing anyway as it is an industry best practice for any information security program.
The risk assessment is generally the first step towards assessing where your gaps are and a security program, if not in place already, is best to flow from the results of a risk assessment. The assessor should also provide your firm with a prioritization map to facilitate your response. In addition, a qualified third party information security risk assessor should be able to provide your firm with direction as to how it can address the gaps identified, including those specifically required by New York’s regulations.
While a risk assessment is in process, you should also assess (or compile) your policies and procedures since this process will require your active engagement from the beginning. Do not simply adopt off the shelf information security policies and procedures without fully understanding how they will apply within your organization. The regulations require that your policies be based on the findings from the risk assessment, so if your firm just adopts form policies without any review or customization, it is effectively documenting non-compliance with the regulation. Again, you should consult experienced third parties with regards to crafting such policies.
The areas that your policies will need to cover include:
Once you have established your course of action as set forth above, you should reach out to NYSDFS and advise that your compliance certification will be delayed but you are taking the above actions (excepting blame deflection) to correct.
Having managed to correct this one lapse, make sure to keep an eye on the forthcoming regulatory timelines. Implementation of controls respecting audit trails, data retention, data encryption, application security and user monitoring is required by September 3rd of this year. By March of next year, covered firms will need to certify that they have implemented a Vendor Risk Management program.