New York DFS Cybersecurity Rules Take Effect March 1

The New York Department of Financial Services (“DFS”) recently issued a revised rules proposal that will add its own cybersecurity requirements to those already in place for banks, insurance companies and other financial services companies. While the proposed rules would only be applicable to financial firms licensed by the New York DFS, they reveal that state regulators are just as concerned about the growing risk of cybersecurity breaches. New York’s proposed rules are the first of their kind in the United States for a state regulator to issue, and may portend a sign of things to come.

Due in part to the nature and volume of the personally identifiable information (PII) they maintain, and partially attributable to the name recognition of some high-profile banks and financial institutions, these firms are increasingly finding themselves at the receiving end of targeted and sophisticated cyber-attacks.

As proposed, 23 NYCRR 500 (“Cybersecurity Requirements for Financial Services Companies”) will require financial institutions under the jurisdiction of the DFS “to establish and maintain a cybersecurity program designed to protect consumers and ensure the safety and soundness of New York State’s financial services industry.”

The Cyber Rules will become effective on March 1, 2017, and covered entities will be required to submit annual certificates of compliance to the DFS beginning February 15, 2018.

Take Action Now to Ensure DFS Compliance

Ascendant creates tailored and risk-based policies and procedures for firms designed to address the DFS Cybersecurity Regulation to include the following areas to the extent applicable to the Company’s operations:

  • Information Security
  • Data Governance and Classification
  • Asset Inventory and Device Management
  • Access Controls and Identity Management
  • Business Continuity and Disaster Recovery Planning and Resources
  • Systems Operations and Availability Concerns
  • Systems and Network Security
  • Systems and Network Monitoring
  • Systems and Application Development and Quality Assurance
  • Physical Security and Environmental Controls
  • Customer Data Privacy
  • Vendor and Third-Party Service Provider Management
  • Risk Assessment
  • Incident Response

For more information about how we can help you reach compliance with New York’s new DFS Cybersecurity requirements, contact us.

Latest Content

Schedule 13D/13F Clarity on ETF Issues

Do I need to file a 13D or 13G if my client accounts hold in excess of 5% of an ETF? Generally, no. The SEC has granted no-action relief to ETFs with respect to compliance with Section 13(d) of the Securities Exchange Act. Section 13(d) was designed to require disclosure when holders begin to accumulate … Continued

New Remedy Coming for SEC’s Custody Rule?

The SEC’s Custody Rule continues to be a common source of confusion and a landmine for noncompliance. Custodial paperwork has caused huge headaches for investment advisers, who are not a party to the agreement and may not even have a copy of the custodial new account paperwork. The issue with existing guidance is that it … Continued

SEC Issues MiFID II No-Action Relief

Some industry anxiety was assuaged on October 26 with three no-action letters that offer relief for some US regulated broker-dealers and investment advisers regarding European MiFID II regulations. The letters followed consultation with the European authorities, and are designed to address concerns that investors could lose access to valuable research. MiFID II is a series of regulations … Continued

Regulatory Changes Impacting RICs and Service Providers

A year ago, the SEC adopted Investment Company Reporting Modernization Rules and Forms, as well as rules pertaining to liquidity risk management programs and swing pricing. New forms N-Port and N-Cen along with amendments to Regulation S-X significantly change the current reporting regime for most registered investment companies (RICs) because they require more comprehensive disclosure and … Continued

Publicly Available Information Heightens Need for Cybersecurity Vigilance

For any business, “ports” that allow for communication generally need to be open (for example, ports 80 and 443 for websites, and port 500 for VPN access). While most of these ports allow you to engage in critical functions, there are often ports that remain open despite being unneeded or unused. These available ports present … Continued

Mailing List

Subscribe to the Ascendant Compliance email list for the latest compliance resources, conferences, ComplianceCasts™, and more.

Loading form...

Contact Us

Ascendant works together with clients to identify and assess critical needs through customized plans. If you need assistance with compliance functions, regulatory services, cybersecurity or technology tools, we’d love to speak with you.