Financial Services Compliance: New NYDFS Cyber Regulations

The current regulation went into effect on March 1, 2017. It is the first regulation of its kind in the United States, though other states are beginning to follow suit. The NYDFS Cybersecurity regulations have been widely praised by security experts and industry professionals for creating a strong framework for organizations to maintain a secure environment. Despite this, many organizations are still struggling to comply with the regulations due to high costs and complex requirements 

The New York Department of Financial Services (NYDFS) Cybersecurity regulation is a set of rules put in place to protect financial institutions in the state from cyber threats.  

The NYDFS is now in the process of making amendments to the existing Cybersecurity regulations. The proposed amendments – issued on 11/9/22 – just came out of an open comment period on 1/9/23, and are expected to go into become effective early in the summer of 2023 – are aimed at strengthening the current set of requirements and increasing accountability for organizations that handle customer data.

The new amendments call for a general tightening of required cyber-safety protocols, including: 

Chief Information Security Officer (CISO) Authority and Responsibility

The CISO must have adequate authority to ensure cybersecurity risks are appropriately managed, including the ability to direct sufficient resources to implement and maintain a cybersecurity program.” (500.4a)   b. The CISO shall also timely report to the senior governing body regarding material cybersecurity issues, such as updates to the covered entity’s risk assessment or major cybersecurity events.” (500.4c)

Vulnerability Management

Each covered entity must “develop and implement written policies and procedures for vulnerability management that are designed to assess the effectiveness of [the covered entity’s] its cybersecurity program.” (500.5)

Access Management

Each covered entity must “limit user access privileges to information systems that provide access to nonpublic information [and shall periodically review such access privileges] to those necessary to perform the user’s job;” (500.7)… b. And “periodically, but at a minimum annually, review all user access privileges and remove or disable accounts and access that are no longer necessary; “ (500.7)

Multi-Factor Authentication

Except where reasonably equivalent or more secure compensating controls have been implemented and approved by the CISO in writing, multi-factor authentication shall be utilized for: (1) remote access to the covered entity’s information systems; (2) remote access to third-party applications, including but not limited to those that are cloud based, from which nonpublic information is accessible; and (3) all privileged accounts.” (500.12)

Training and Monitoring

Each covered entity shall “provide [regular] periodic, but at a minimum annual, cybersecurity awareness training that includes social engineering exercises for all personnel that is updated to reflect risks identified by the covered entity in its risk assessment.” (500.14)

Altourage and Financial Services Firms 

Altourage client engagements are designed to ensure all of our clients stay ahead of their specific industry regulation compliance protocols.

Specifically, our financial services group works with firms of all types and sizes, from fintech start-ups to established private equity groups. We modernize ecosystems, bring together specialized vendors, and support and protect your workforce and your sensitive data – allowing you to anticipate change, maintain compliance with current and future regulations, and stay on top of your competitive set.