The DFS Effect: Cyber Meets Sarbanes Oxley

Patterson Belknap Webb & Tyler LLP

Financial institutions with ties to New York spent their Valentine’s Day learning how to use the New York State Department of Financial Services (DFS) web portal.

Almost a year ago, the DFS unveiled one of the most aggressive efforts in the nation to crack down on cybercrime in the banking and insurance industries. And by tomorrow, more than 3,000 firms are required to file through the agency’s online portal their first ever compliance certificate, swearing that their organization has satisfied the first phase of requirements under the state’s new cybersecurity regulation.

There’s a similarity between the new DFS certification and the internal control certification required by Section 302 of the federal Sarbanes-Oxley Act (SOX). SOX requires that a company’s Chief Executive Officer and Chief Financial Officer sign-off on the accuracy, documentation and submission of financial reports, as well as the company’s internal control structure. Both drive accountability and elevate risk oversight to the most senior levels of corporate America.

Likewise, the DFS certification – which must be signed by either the Board Chair or a senior officer – attests to two things: First, that the individual signing the certificate has done enough diligence to get comfortable with the organization’s compliance process. As we’ve blogged about recently, whomever signs the certification must attest to the review of “documents, reports, certification and opinions” of “officers, employees, representatives, outside vendors and other individuals as necessary.”

Second, the certification requires a “best of knowledge” representation that the organization is in compliance with the applicable provisions of the regulation.  Below, we reprint a copy of the certification:

The certification covers the first round of requirements under the regulation including:

  • Designation of a Chief Information Security Officer (CISO)
  • Implementation of an overall Cybersecurity Program meeting the criteria in the Regulation
  • Implementation of Cybersecurity Policies
  • Development of an Incident Response Plan
  • Limited access privileges to an organization’s IT network
  • Use of qualified cybersecurity personnel (either internal or external to the entity) to manage the entity’s risks and to oversee core functions

And once the certification is electronically filed with DFS by tomorrow’s deadline, banks and insurers must turn to the second round of regulation’s requirements, which must be completed by March 1st. We’ll cover those requirements in a future blog post.


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Patterson Belknap Webb & Tyler LLP | Attorney Advertising

Written by:

Patterson Belknap Webb & Tyler LLP

Patterson Belknap Webb & Tyler LLP on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.