Financial Services Superintendent Maria T. Vullo today announced that the Department of Financial Services (DFS) has launched a new online portal to securely transmit in real time all notifications required under New York’s first-in-the-nation cybersecurity regulation. This regulation requires all banks, insurance companies, and other financial services institutions regulated by DFS to establish and maintain a cybersecurity program designed to protect consumers’ private data and ensure the safety and soundness of New York’s financial services industry.

“DFS continues to implement innovative technologies and modernize its processes to better serve regulated entities and the New Yorkers they serve,” said Superintendent Vullo. “With DFS’s leading cybersecurity regulation, the DFS cyber portal will allow New York’s financial institutions to quickly, easily, and securely report cybersecurity events and file required certifications of compliance, ensuring that the necessary safeguards are in place to protect New York consumers and financial institutions as the threat of cyber-attacks continues to increase.”

The new cyber portal is among a number of steps DFS is taking to foster the modernization of state regulation to protect consumers and the financial services industry, while supporting and keeping pace with industry innovation.  These initiatives include the Department’s transition to the Nationwide Multistate Licensing System and Registry, a secure, web-based, nationwide licensing system that allows companies to apply for, update, and renew their licenses in one or more states conveniently and safely online, and a new online application process to speed the re-licensing of agents and brokers whose original licenses have been expired for more than two years

Beginning on August 28, 2017, all entities covered by DFS cybersecurity regulation must file certain notifications to the Superintendent including notices of certain cybersecurity events within 72 hours from a determination that a reportable event has occurred.  A cybersecurity event is reportable if it falls into at least one of the following categories:

• The cybersecurity event impacts the covered entity and notice of it is required to be provided to any government body, self-regulatory agency or any other supervisory body; or
• The cybersecurity event has a reasonable likelihood of materially harming any material part of the normal operation(s) of the covered entity. 

In addition, by February 15, 2018, covered entities must file a certificate of compliance stating that the covered entity has been in compliance for the previous calendar year. 

Filings made through the DFS Web Portal are preferred to alternative filing mechanisms as the DFS Web Portal provides a paperless reporting tool to facilitate compliance with the DFS cybersecurity regulation.

Notices of Exemption, Certifications of Compliance and Notices of Cybersecurity Events should be filed electronically via the DFS Web Portal http://www.dfs.ny.gov/about/cybersecurity.  For further information about New York’s cybersecurity regulation, please see the frequently asked questions on the DFS website.