On February 15, 2018 a milestone event occurred in New York. For financial institutions licensed in New York (there are about 3,000 of them), The Chairman of the Board, CEO or some other similar executive had to personally sign a document and submit it to the State of New York. The document says that the signer has personally reviewed documents, reports, certifications and opinions of such officers, employees, outside vendors and others as necessary to ascertain that the institution is in compliance with the New York cyber security regulation known as DFS 500.
While the law only applies to the roughly 3,000 financial institutions licensed in New York, it actually will have a much wider impact that I will explain in a minute.
So, right now, for the first time ever, executives of New York financial institutions have to personally sign a document that says that they both understand the law and are in compliance with it.
During 2017, the period covered by the attestation, the law is relatively simple. Conduct a risk assessment; create a cyber security program, appoint a CISO and a few other things, all of which are good generally accepted cyber security practices. Not easy. Not cheap. Not without organizational disruption. But possible.
BUT, if the Board thinks they can rest easy, they shouldn’t. The law is being phased in over two years and this period only covers the first part of the rules. The document that they will have to personally sign next February (technically the same document but different requirements to be “in compliance”) will require much more work on the part of the organization.
While there is an exemption for very small organizations, even that is only a partial exemption.
There is another set of requirements coming due March 1st and again more requirements that need to be in place by September 1st, so 2018 will be a busy year for those folks.
But remember I earlier said that the regulation will impact way more than those 3,000 licensed financial institutions? Here’s why.
The part of the regulation that financial institutions have the most time to implement is the part that will be the hardest to implement. These 3,000 organizations have to implement a vendor cyber risk management program. We have some smallish clients (say 400 employees) that have around a hundred vendors each that this will impact. Larger organizations, like the big banks, might have a couple thousand vendors.
Basically, all of their vendors, if they want to continue to be vendors to these New York licensed financial institutions, need to implement a similar cyber security program to what the financial institutions are implementing now.
When it comes to which vendors it impacts, it probably doesn’t impact the corner deli delivering lunch or even the office supply store, but it could impact the janitorial company and it certainly will impact all vendors that the institution shares data with.
My guess is that this will impact somewhere between a quarter million and a half million businesses.
That is, through all the whining, a good thing.
We know that other states are looking at what New York is doing. Vermont and Colorado have implemented a piece of it already. California is likely to be number two for implementing the whole enchilada.
For those people who thought that New York was going to back down – apparently not.
Congratulations New York at getting the Board’s attention. Forcing the CEO or Chairman to sign his or her name to a legal document that carries significant financial penalties is often effective at getting people’s attention.
I think other states were waiting to see if the New York regulators would fold. At least so far they are not folding. Stay tuned.
What could be next is significant fines. No one knows what the regulator is going to do next, but the indications are that Maria Vullo is out to make sure that people understand that she is not to be messed with. You don’t follow these rules at your own peril.
What this means for vendors that sell into the New York financial services space is that now is the time to check out the regulation and start making the changes – ahead of when your customer tells you that either you get with the program or they will find a vendor that will. It is always easier to do it under your own timeline. But don’t wait too long to start. They will be coming for you sooner than you think.
Information for this post came from Cyberscoop.