Financial Services Cyber Regulation & Compliance: An NYDFS Primer 

What are the NYDFS Cybersecurity regulations for the Financial Services Industry? 

The New York Department of Financial Services (NYDFS) Cybersecurity regulation is a set of rules put in place to protect financial institutions in the state from cyber threats.  

The current regulation went into effect on March 1, 2017. It is the first regulation of its kind in the United States, though other states are beginning to follow suit. The NYDFS Cybersecurity regulations have been widely praised by security experts and industry professionals for creating a strong framework for organizations to maintain a secure environment. Despite this, many organizations are still struggling to comply with the regulations due to high costs and complex requirements 

The rule outlines processes for managing security risks, such as encrypting data and monitoring system activities and requires all covered organizations to: 

1) Maintain an effective cybersecurity program,  

2) Appoint an Information Security Officer who will be responsible for overseeing their cybersecurity program,   

3) Have a policy for assessing third-party vendors such as cloud-based services, 

4) Report any cyber security incidents to the NYDFS within 72 hours of discovery, and have a plan in place for responding to such events,  

5) Notify customers of any breaches or unauthorized access attempts. 

6) Provide annual certifications that they are compliant with the requirements, 

Organizations that are non-compliant with the NYDFS Cybersecurity regulation face significant fines and penalties, ranging from $5,000 to $250,000 per violation. It is important for organizations to ensure they understand and comply with the regulations to protect their business and customer data. Failure to comply could result in hefty financial losses and reputational damage. Organizations should also consider working with a third-party to help assess their cybersecurity program and ensure that they are meeting all of the NYDFS Cybersecurity regulations. This will not only help them remain compliant, but will also allow them to have peace of mind knowing that their data is secure.  

What Are The Proposed Amendments to the NYDFS Cybersecurity Regulations? 

The New York Department of Financial Services (NYDFS) is in the process of making amendments to the existing Cybersecurity regulations. The proposed amendments are aimed at strengthening the current set of requirements and increasing accountability for organizations that handle customer data. The new amendments include: 

1) Enhanced risk assessment standards 

2) Improved identity management,  

3) Expanded oversight over third-party vendors 

4) Improved breach notification requirements. 

For example, organizations will have to use multi-factor authentication for all customer accounts, as well as implement a system that monitors user activity and flags anomalous behavior. They will be required to provide annual certifications of their compliance with the NYDFS Cybersecurity regulation, which must include a report of their risk assessment and a description of how they are addressing any identified risks. The proposed amendments also extend the breach reporting timeline from 72 hours to 24 hours, giving organizations less time to respond to incidents.  

The proposed amendments are still pending and have not yet been approved by the NYDFS. Organizations should keep an eye out for any updates and prepare to adjust their cybersecurity policies and procedures accordingly. Once the amendments are approved, organizations will have one year to become compliant with the new requirements. As such, it is important for all organizations that handle customer data in New York State to carefully review the proposed amendments and take appropriate steps to ensure compliance.  

Altourage And the  Financial Services Sector  

The financial services industry occupies a unique position; obligated to provide a traditional sense of safety and security while relying on cutting-edge technology to maintain a competitive advantage. 

Our financial services group works with firms of all types and sizes, from fintech start-ups to established private equity groups. We modernize ecosystems, bring together specialized vendors, and support and protect your workforce, and sensitive data, allowing you to anticipate change, maintain compliance, and stay on top. 

About Altourage 

Altourage is a client-obsessed managed service provider, offering IT and Cybersecurity services to clients in ‘high-trust’ sectors, including Financial Services, Professional Services and Nonprofit Organizations.  

We offer both fully managed and co-managed services – customizing our services or integrating with our clients’ existing teams to build successful long-term partnerships.