Press Release
January 31, 2019


All Covered Entities Must Be in Full Compliance with the Cybersecurity Regulation by March 1, 2019

February 15, 2019 Compliance Certification Filing Deadline Is Approaching for Covered Entities to Submit a Statement of Compliance for the Prior Calendar Year

Financial Services Superintendent Maria T. Vullo today reminded DFS-regulated entities and licensed persons covered by the Department of Financial Services (DFS)’s landmark cybersecurity regulation that the final implementation period for the regulation ends March 1, 2019.  New York’s first-in-the-nation cybersecurity regulation became effective March 1, 2017.  DFS implemented a two-year timeline for implementation of the regulation’s requirements, with a final compliance deadline of March 1, 2019.  The final step in the implementation timeline requires regulated entities that use third-party providers to put in place policies and procedures ensuring the security of information systems and nonpublic information accessible to, or held by, such providers.  Superintendent Vullo today also reminded all regulated entities that the second certification of compliance covering the prior calendar year must be filed electronically via the DFS cybersecurity portal on or before February 15, 2019.

“Two years ago, DFS took steps to address the significant issue of cybersecurity, issuing a first-in-the-nation regulation protecting the financial services industry and consumers from the ever-increasing threat of data breaches and cyber attacks.  With the deadline for final implementation nearing, all DFS-regulated institutions should now have in place a comprehensive risk-based cybersecurity program and adequate controls to protect their information systems, with senior-level attention to these protections,” said Superintendent Vullo. “This regulation, which demonstrates the importance of strong state regulation and has set a national model, will provide much-needed protections for the financial services industry and consumers well into the future.”

All banks, insurance companies, and other financial services institutions and licensees regulated by DFS are now required to have a cybersecurity program in place that is designed to protect consumers’ private data; a written policy or policies that are approved by the board or a senior officer; a Chief Information Security Officer to help protect data and systems; protections of data at third-party providers; and controls and plans in place to help ensure the safety and soundness of New York’s financial services industry.  Covered entities and licensees must also report cybersecurity events to DFS through the Department’s secure online cybersecurity portal.

A copy of the cybersecurity regulation and a set of frequently asked questions can also be found on the portal.