ALBANY -  Beginning Thursday, banking and insurance companies regulated by the New York Department of Financial Services had to file their first annual certification of compliance with the department's cybersecurity regulations, which are expected to have national and global impact.

Feb. 15 marked the second major deadline for the state agency's cybersecurity regulations, which requires banking and insurance companies doing business in New York to comply with groundbreaking rules aimed at deterring cyberattacks. A board member or senior officer at thousands of DFS-regulated entities has to certify that the company is in compliance with the security requirements established by the department, and must submit certification annually from now on. 

Mark Krotoski, a California-based partner at Morgan, Lewis & Bockius who advises clients on cybersecurity and privacy issues, said today's deadline is “very significant in terms of the implementation” of the regulations.

“The signature actually certifies that either the board of directors or a senior officer has reviewed relevant documents, reports and opinions of individuals inside [the company] or outside vendors and they are complying with the regulation. That's significant not only under this regulation, but this is one of the first entities to impose  these requirements,” Krotoski said in an interview Thursday.

The regulations are slated to have far-reaching impact on financial services and insurers that do business in New York “because New York is obviously a very important place for commerce,” Krotoski said. “This affects many large financial institutions in the U.S. and foreign entities with presence in New York.”

With the compliance certification in place, “everyone is watching” what the enforcement actions by DFS will look like, Krotoski added.

In a statement to the New York Law Journal, DFS Superintendent Maria Vullo said that the compliance certification is a “critical governance pillar for the cybersecurity program of all DFS-regulated entities.” 

“DFS's regulation requires each entity to have an annual review and assessment of the program's achievements, deficiencies and overall compliance with regulatory standards and the DFS cybersecurity portal will allow the safe and secure reporting of these certifications,” she added.

Vullo said the DFS' goal is to prevent cybersecurity attacks by making sure that proper precautions are taken by the banks, insurers and credit reporting agencies the department regulates. “As DFS continues to implement its landmark cybersecurity regulation, we will take proactive steps to protect our financial services industry from cybercriminals.”

The rules established in March require that financial services companies regulated by the DFS have state-approved plans to deter cyberattacks and report any attacks to the state agency within 72-hours of when they occur.

Today's deadline by the DFS is a “formal declaration” that companies regulated by the department are in compliance with the regulations, said Steven Grossman, the vice president of strategy at Bay Dynamics, a cybersecurity company that recently relocated from San Francisco to New York.

“Today's deadline doesn't change anything on the ground,” Grossman said in an interview. “What it changes is that you have a signature on paper stating that they're in compliance.” The deadline “puts someone's feet to the fire” to uphold that the company is in compliance, Grossman added.

Krotoski said that despite the phased in approach to the regulations, there are still growing pains. He said that the challenge being raised by clients is that there are “many different standards with regulators” and that efforts to comply with all of the different rules put in place by regulators is “costly and cumbersome.” Hopefully the “process becomes more harmonized and streamlined,” he added.