NY Cybersecurity certification explained - filing due on April 15th.

If you offer financial services in the state of New York, the IRS aren’t the only regulators expecting a filing from you on April 15. On March 1, 2014 the NY Department of Financial Services enacted a regulation establishing cybersecurity requirements for financial services firms (with various exceptions). Since the regulation was adopted, the cybersecurity landscape has evolved tremendously, with threat actors becoming more sophisticated and more prevalent, and cyberattacks becoming easier to execute (such as ransomware-as-a-service) and more expensive to remediate. The good news, however is that since March 2014, there are a subsequent number of additional cybersecurity controls now available to manage cyber risk as a reasonable cost that have come on the market in the last ten years. For these reasons, and because the Department of Financial Services better understood the significant work efforts that organizations would need to perform to protect themselves, the regulation was amended again and became effective November 1, 2023.

The scope of DFS-regulated individuals and entities required to comply with the amended Cybersecurity Regulation (going forward known as “Covered Entities”) continue to include, but are not limited to, partnerships, corporations, branches, agencies, and associations operating under, or required to operate under, a license, registration, certificate, permit, accreditation, or similar authorization under the Banking Law, the Insurance Law, or the Financial Services Law.

So how do you know if you are exempt from the DFS’s Cybersecurity Regulation? There are three ways identified on the DFS cybersecurity guidance site:

1. - A Covered Entity and its Affiliates combined must have fewer than 20 employees and independent contractors

2. - To qualify for a limited exemption, a Covered Entity must have less than $7.5 million in gross avenue revenue in each of the last three fiscal years from (1) all of its business operations, wherever located, and (2) it’s affiliates’ New York business operations.

3. - A Covered Entity must have less than $15 million in year-end total assets, including assets of affiliates.

Now that we’ve determined whether or not you are exempt from filing an annual Cybersecurity Compliance form, what requirements must you meet? First, you must determine if you qualify for limited exceptions. If you do, your requirements are limited to reviewing data and documentation to determine your compliance with the regulation for the prior year and you must submit either 1) a written confirmation of compliance certifying that the entity materially complied with the requirements during the prior calendar year or 2) a written acknowledgement of noncompliance acknowledging that the entity did not comply with all of the requirements of the regulation during the prior year, identify what requirements they were not in compliance with, and provide a written timeline or confirmation that remediation has been completed.

Control requirements for organizations with a limited exception include: a) reviewed and approved written cybersecurity policies b) reviewed and updated risk assessment c) cybersecurity awareness training d) review and manage privileged user access e) perform third-party service provider assessments on the continued adequacy of their cybersecurity practices f) report cybersecurity incidents and extortion payment attempts g) securely dispose of nonpublic information (NPI) that is no longer needed h) implement multi-factor authentication for remote access to your entity’s information system, remote access to third-party applications from which NPI is accessible, and all privileged accounts. If your organization’s CISO has approved the use of compensating controls in place of MFA, CISOs must annually review and reapprove them, and i) develop and maintain an up-to-date asset inventory of information systems beginning November 1, 2025.

The NY DFS provided a Cybersecurity Program Template to help individual licensees and individually owned businesses develop a comprehensive cybersecurity program that aligns with the requirements of the New York State’s Cybersecurity Regulation. I recommend that you review the file in detail to gain an understanding of the required controls. At a high level, the control requirements include providing information (e.g., policies and standards) evidencing your Cybersecurity Program, maintaining an asset inventory of information systems, performing cybersecurity risk assessments, assessing risks associated with third-party service providers, access management and privileged access controls, data retention and disposal, cybersecurity awareness training, and incident response and reports. Additionally, there are a number of controls for both small businesses and standard companies that do not need to be implemented until May 1, 2025 and controls for standard companies that aren’t required to be implemented until November 1, 2025. These are also specifically identified in the training materials provided by the NY DFS.

I’m going to be honest and admit that my taxes are not filed yet. I don’t think I’d be able to do so, as well as complete my compliance filing NY (here’s to new businesses with revenues under $7.5 million!)

Malcom Risk Advisors is currently working with clients to assist them in completing their filings. If this is something still on your to-do list, this is a great example of an opportunity where Malcom Risk Advisors can help you meet urgent compliance requirements. We’re getting close to the end of March, so while this engagement does not take too long, I’d recommend reaching out sooner than later to ensure we can get it completed by April 15th.

Also, if you need any additional references, I picked 15 of 16 first round games in the NCAA Men’s Basketball Tournament yesterday.

I’m looking forward to hearing from you.

All the best,

Dave

david@malcomriskadvisors.com