August 28 is the first of the rolling deadlines to comply with the New York Department of Financial Services (DFS) new and far-reaching cybersecurity regulations for companies licensed under the state’s banking, insurance and financial services laws.
As of that date, licensed companies must be able to show regulators that they are implementing a comprehensive cybersecurity program, based on a risk assessment.
It’s up to each company “to assess its specific risk profile and design a program that addresses its risks in a robust fashion”. But the must-do list in the New York cybersecurity regulations (23 NYCRR Part 500) gets pretty specific.
By 8/28, for instance, companies must:
Also, new reporting requirements mandate notifying the DFS within 72 hours about a “cybersecurity event” that has “a reasonable likelihood of materially harming” operations. The DFS also requests reporting of unsuccessful cyber attacks if the company considers them “serious”.
The next milestone to meet requirements comes March 1, 2018, when companies must start:
The whole “transition period” of deadlines wraps up on March 1, 2019, two years after the regulations became effective.
The New York cybersecurity code doesn’t mention penalties for non-compliance but the DFS makes it very clear it will hold the C-suite and above to account:
“Senior management must take this issue seriously and be responsible for the organization’s cybersecurity program and file an annual certification confirming compliance with these regulations.”
In fact, the US Federal Banking Regulators (Federal Reserve, OCC, FDIC) recognized FAIR as an established model for cyber risk quantification in its Advanced Notice of Proposed Rulemaking on Enhanced Cyber Risk Management Standards.