DFS Cyber Regulation Countdown: Who Should Certify Compliance?

Patterson Belknap Webb & Tyler LLP
Contact

Companies subject to New York’s Department of Financial Services (DFS) new cybersecurity regulation should be preparing to comply with the first round of requirements by the upcoming August 28th deadline: enacting a cybersecurity program and policies, implementing user access privileges, designating a Chief Information Security Officer (CISO), employing qualified personnel, and implementing an incident response plan.

But covered companies should also be thinking ahead to February 15, 2018, the date on which they must file an annual certification with the DFS attesting to compliance with the regulation. To do so, companies are required to file a signed attestation certifying compliance with the regulation for the prior year.

Although the regulation itself does not specifically identify who must sign the annual certification, the “form” appended to the regulation provides that either the “Board of Directors” or “Senior Officer(s)” must sign. And whoever signs the certification must have “reviewed documents, reports, certifications and opinions” of “officers, employees, representatives, outside vendors and other individuals as necessary.”

Each option—board of directors or senior officer—raises different issues. The board of directors already must receive “at least annually” a report from the CISO about the company’s cybersecurity program. But the regulation itself is highly detailed, and the DFS form requires the “Board of Directors,” not a member of the Board of Directors, to attest to compliance. This suggests a potentially time consuming process within the context of a board’s oversight responsibilities.

Having a senior officer attest to compliance might be logistically easier. Presumably, a member of senior management is charged with overseeing the company’s cybersecurity policies, and could more easily certify compliance. However, the regulation’s definition of “Senior Officer(s)” is less than clear: the “individual or individuals” must be “responsible for management, operations, security information, systems, compliance and/or risk” of the company. If, for example, one officer is charged with managing “risk” for the company, and another with the company’s “information systems,” multiple senior officers might need to sign the certificate of compliance. And the number of senior officers required to attest to compliance could be even greater with large institutions.

There is no “right” answer to this question. Companies will need to evaluate the best way to address the certification issue based on their particular circumstances. And they will need to do so soon.

 

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Patterson Belknap Webb & Tyler LLP | Attorney Advertising

Written by:

Patterson Belknap Webb & Tyler LLP
Contact
more
less

Patterson Belknap Webb & Tyler LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.