By tomorrow, all “covered entities” that fall under regulation of New York State’s Cybersecurity regulation are to have submitted a letter to the New York Department of Financial Services “certifying that the Covered Entity is in compliance with the requirements.” Tomorrow marks the first time that covered entities are required to submit such a document.
While collection agencies do not fall under the definition of “covered entities,” many agencies work with those that do meet the criteria to be defined as such. Under the regulation, covered entities are defined to mean “any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the banking law, the insurance law or the financial services law.” In short, any financial services company that lends money in New York is covered under this regulation, and any third-party providing services to the covered entities are also subject to complying with the regulation.
It is possible that collection agencies may start receiving requests, if they have not already, from the individual who is designated as the covered entity’s chief information security officer requesting details of their compliance with the regulation. Under the regulation, third-party service providers must
maintain a cybersecurity program that protects the Covered Entity in accordance with the requirements of this Part.
Covered entities are also only about two weeks away from having to comply with other sections of the regulation, including a report on the company’s cybersecurity program from the chief information security officer to the company’s board or senior officers, annual penetration testing and bi-annual vulnerability assessments, periodic risk assessments, using multi-factor authentication, and providing regular cybersecurity awareness training to all employees.
The section that covered entities must be in compliance with by tomorrow is Section 500.17(b). It states:
Annually each Covered Entity shall submit to the superintendent a written statement covering the prior calendar year. This statement shall be submitted by February 15 in such form set forth as Appendix A, certifying that the Covered Entity is in compliance with the requirements set forth in this Part. Each Covered Entity shall maintain for examination by the Department all records, schedules and data supporting this certificate for a period of five years. To the extent a Covered Entity has identified areas, systems or processes that require material improvement, updating or redesign, the Covered Entity shalldocument the identification and the remedial efforts planned and underway to address such areas, systems or processes. Such documentation must be available for inspection by the superintendent.
Scrolling down to Appendix A, the form looks like this:
Certification of Compliance with New York State Department of Financial Services Cybersecurity Regulations
The Board of Directors or a Senior Officer(s) of the Covered Entity certifies:
- The Board of Directors (or name of Senior Officer(s)) has reviewed documents, reports, certifications and opinions of such officers, employees, representatives, outside vendors and other individuals or entities as necessary;
- To the best of the (Board of Directors) or (name of Senior Officer(s)) knowledge, the Cybersecurity Program of (name of Covered Entity) as of (date of the Board Resolution or Senior Officer(s) Compliance Finding) for the year ended (year for which Board Resolution or Compliance Finding is provided) complies with Part ___.
Signed by the Chairperson of the Board of Directors or Senior Officer(s)
For those who might be wondering how serious the Department is taking this, here is something from the state’s FAQ’s about the regulation:
The Department expects full compliance with this regulation. A Covered Entity may not submit a certification under 23 NYCRR 500.17(b) unless the Covered Entity is in compliance with all applicable requirements of Part 500 at the time of certification. To the extent a particular requirement of Part 500 is subject to an ongoing transitional period under 23 NYCRR 500.22 at the time of certification, that requirement would not be consider applicable for purposes of a certification under 23 NYCRR 500.17(b).