New York DFS Cybersecurity Rules Take Effect March 1

The New York Department of Financial Services (“DFS”) recently issued a revised rules proposal that will add its own cybersecurity requirements to those already in place for banks, insurance companies and other financial services companies. While the proposed rules would only be applicable to financial firms licensed by the New York DFS, they reveal that state regulators are just as concerned about the growing risk of cybersecurity breaches. New York’s proposed rules are the first of their kind in the United States for a state regulator to issue, and may portend a sign of things to come.

Due in part to the nature and volume of the personally identifiable information (PII) they maintain, and partially attributable to the name recognition of some high-profile banks and financial institutions, these firms are increasingly finding themselves at the receiving end of targeted and sophisticated cyber-attacks.

As proposed, 23 NYCRR 500 (“Cybersecurity Requirements for Financial Services Companies”) will require financial institutions under the jurisdiction of the DFS “to establish and maintain a cybersecurity program designed to protect consumers and ensure the safety and soundness of New York State’s financial services industry.”

The Cyber Rules will become effective on March 1, 2017, and covered entities will be required to submit annual certificates of compliance to the DFS beginning February 15, 2018.

Take Action Now to Ensure DFS Compliance

Ascendant creates tailored and risk-based policies and procedures for firms designed to address the DFS Cybersecurity Regulation to include the following areas to the extent applicable to the Company’s operations:

  • Information Security
  • Data Governance and Classification
  • Asset Inventory and Device Management
  • Access Controls and Identity Management
  • Business Continuity and Disaster Recovery Planning and Resources
  • Systems Operations and Availability Concerns
  • Systems and Network Security
  • Systems and Network Monitoring
  • Systems and Application Development and Quality Assurance
  • Physical Security and Environmental Controls
  • Customer Data Privacy
  • Vendor and Third-Party Service Provider Management
  • Risk Assessment
  • Incident Response

For more information about how we can help you reach compliance with New York’s new DFS Cybersecurity requirements, contact us.

Latest Content

Ascendant’s Jason Morton to Speak on RegTech at Strata Data Conference

Alongside technology experts from American Express, Credit Suisse and CIBC, Ascendant’s Jason Morton will speak on developments in regulatory technology at the ‘Fintech Data Day’ at the annual Strata Data Conference on September 26, 2017 in New York. The Strata Data Conference is an annual conference for technology and business professionals who are seeking innovative … Continued

Hurricane Season: How Does your BCM Program Stack Up?

As Hurricane Harvey touches down on U.S. soil and we hope for the safety of the millions in its path, we encourage all firms, even those outside Harvey’s path of flooding and damaging winds, to consider their BCM readiness for such an event. Business Continuity Plans are designed to ensure firms have conducted sufficient advance preparation so … Continued

Surprise, Surprise: SEC Conducting Unannounced Exams

The Boston Regional Office of the SEC has recently conducted roughly 20 unannounced visits to registered investment advisers in the region. This fact, confirmed during the recent meeting of the New England Broker-Dealer and Investment Adviser Association (NEBDIAA), is in keeping with the SEC’s renewed focus on a more robust examination program. While onsite, the … Continued

One Phish, Two Phish, Red Phish, Blue Phish: How to Detect and Mitigate Social Engineering and Ransomware Techniques

Ransomware attacks like WannaCry and NotPetya are increasing in both frequency and damage, routinely making headline news with their abilities to bring down networks of established companies. Yet these cyberattacks typically start by compromising the weakest point in your security chain – people – through simple or complex phishing techniques before spreading to other parts … Continued

DOL Fiduciary Rule Transition Period Extension to 2019 Requested

The Secretary of Labor, Alexander Acosta, made a court filing on August 9 requesting the Transition Period and Delay of Applicability for the Department of Labor Fiduciary Rule be extended from January 1, 2018 to July 1, 2019. This court filing included extending the deadlines for the following Prohibited Contract Exemptions: Best Interest Contract Exemption … Continued

Mailing List

Subscribe to the Ascendant Compliance email list for the latest compliance resources, conferences, ComplianceCasts™, and more.

Loading form...

Contact Us

Ascendant works together with clients to identify and assess critical needs through customized plans. If you need assistance with compliance functions, regulatory services, cybersecurity or technology tools, we’d love to speak with you.