Financial institutions with ties to New York spent their Valentine’s Day learning how to use the New York State Department of Financial Services (DFS) web portal.
Almost a year ago, the DFS unveiled one of the most aggressive efforts in the nation to crack down on cybercrime in the banking and insurance industries. And by tomorrow, more than 3,000 firms are required to file through the agency’s online portal their first ever compliance certificate, swearing that their organization has satisfied the first phase of requirements under the state’s new cybersecurity regulation.
There’s a similarity between the new DFS certification and the internal control certification required by Section 302 of the federal Sarbanes-Oxley Act (SOX). SOX requires that a company’s Chief Executive Officer and Chief Financial Officer sign-off on the accuracy, documentation and submission of financial reports, as well as the company’s internal control structure. Both drive accountability and elevate risk oversight to the most senior levels of corporate America.
Likewise, the DFS certification – which must be signed by either the Board Chair or a senior officer – attests to two things: First, that the individual signing the certificate has done enough diligence to get comfortable with the organization’s compliance process. As we’ve blogged about recently, whomever signs the certification must attest to the review of “documents, reports, certification and opinions” of “officers, employees, representatives, outside vendors and other individuals as necessary.”
Second, the certification requires a “best of knowledge” representation that the organization is in compliance with the applicable provisions of the regulation. Below, we reprint a copy of the certification:
The certification covers the first round of requirements under the regulation including:
And once the certification is electronically filed with DFS by tomorrow’s deadline, banks and insurers must turn to the second round of regulation’s requirements, which must be completed by March 1st. We’ll cover those requirements in a future blog post.