NYDFS cybersecurity rules now in effect for financial institutions

The New York Department of Financial Services reminded financial institutions that the first compliance date of New York’s cybersecurity regulation was on Aug. 28.

Financial institutions have had since the start of the year to implement the cybersecurity regulations that are intended to keep financial institutions and their customers safe.

“This day marks a significant milestone in protecting the financial services industry and the consumers they serve from the threat of cyber-attacks,” said Financial Services Superintendent Maria T. Vullo.

“With cyber-attacks on the rise and comprehensive federal cybersecurity policy lacking for the financial services industry, New York is leading the nation with strong cybersecurity regulation requiring, among other protective measures, set minimum standards of a cybersecurity program based on the risk assessment of the entity, personnel, training and controls in place in order to protect data and information systems,” said Vullo.

Vullo recapped that starting this week, banks, insurance companies, and other financial services institutions regulated by DFS are required to have:

A cybersecurity program designed to protect consumers’ private data.
A written policy or policies that are approved by the board or a senior officer.
A Chief Information Security Officer to help protect data and systems.
Controls and plans in place to help ensure the safety and soundness of New York’s financial services industry.
On top of this, Vullo said covered entities must also begin reporting cybersecurity events to DFS through the department’s online cybersecurity portal.

Click here to read the cybersecurity requirements for financial institutions.

Most notably, the regulations from the department included stricter guidelines around third-party service providers.

Under the third-party service provider policy, “Each Covered Entity shall implement written policies and procedures designed to ensure the security of Information Systems and Nonpublic Information that are accessible to, or held by, Third Party Service Providers. Such policies and procedures shall be based on the Risk Assessment of the Covered Entity and shall address to the extent applicable.”

And as an added reminder, the NYDFS noted that a cybersecurity event is reportable if it falls into at least one of the following categories:

The cybersecurity event impacts the covered entity and notice of it is required to be provided to any government body, self-regulatory agency or any other supervisory body
The cybersecurity event has a reasonable likelihood of materially harming any material part of the normal operation(s) of the covered entity


Leave a Reply