The August 28 deadline for companies to begin the first steps toward complying with the New York State Department of Financial Services’ new cybersecurity regulations came and went this week. If your firm hasn’t made adjustments yet, you still have some time.
Though there are certain elements firms were required to have in place by August 28, they don’t actually have to officially certify to NYDFS that they’re in compliance with the new standards until February 15, 2018.
“People shouldn’t lose sight of the fact that it’s February that they’ll have to actually certify that they’re actually in compliance,” said Mike Stiglianese, financial-services industry lead at consulting company BDO National Technology & Cybersecurity in New York. “So, there’s still time to fix things before you have to do the certification.”
Mark Krotoski, a partner at Morgan Lewis, agreed. “The February annual review is when the agency is really going to look closely at the compliance issue.”
For companies that get their acts together in the interim, they still have to admit the missed August deadline in their February certifications. However, this might not be that big a deal.
“New York State is a wild card, especially with this regulation being the first of its kind,” Stiglianese said. “The way that it traditionally works with regulators, especially when it’s such a new type of regulation, is if you can demonstrate that you’re aware of it and taking action to resolve any issues, they’ll usually at least be lenient within the first review.”
However, so much off what’s laid out in the rules is extremely vague. “At this point, it’s not even clear what the initial penalties will be, even if you aren’t able to certify in February,” he added.
The lack of clarity may be why firms failed to fully implement the August requirements. Further, there’s no way for companies to run their proposals by NYDFS to see if they’re in compliance before putting them into place; unlike, say, the tax code, where the IRS routinely releases Private Letter Rulings for individual cases. Earlier this month, for instance, the SEC released some guidance on cybersecurity that noted that many companies already had existing cybersecurity programs in place, but those programs were either not followed properly or weren’t in harmony with the regulations.
“There are questions from many of our clients in that they’re doing many of the things required, but not in the exact manner that the regulations suggest, which is unclear,” Krotoski said.
He has further concerns about the efficacy of implementing what he calls a “checklist approach to cybersecurity.” He explains, “[The rules] may actually be proscriptive, simply because having to allocate resources to certain ‘required’ areas may drain them from others, where they may be more needed on an individual basis. They’re listed as ‘minimum requirements,’ but what does that actually mean?”
Both believe that companies who make a good-faith effort to comply and, most importantly, carefully document that effort, will be just fine from a regulatory standpoint.
“The worst place to be is to simply be totally inactive,” said Stiglianese. “It’s key for organizations to at least do something to document that they’re aware of the regulation, and what they need to do to comply.”