New York DFS Cybersecurity Rules Take Effect March 1

The New York Department of Financial Services (“DFS”) recently issued a revised rules proposal that will add its own cybersecurity requirements to those already in place for banks, insurance companies and other financial services companies. While the proposed rules would only be applicable to financial firms licensed by the New York DFS, they reveal that state regulators are just as concerned about the growing risk of cybersecurity breaches. New York’s proposed rules are the first of their kind in the United States for a state regulator to issue, and may portend a sign of things to come.

Due in part to the nature and volume of the personally identifiable information (PII) they maintain, and partially attributable to the name recognition of some high-profile banks and financial institutions, these firms are increasingly finding themselves at the receiving end of targeted and sophisticated cyber-attacks.

As proposed, 23 NYCRR 500 (“Cybersecurity Requirements for Financial Services Companies”) will require financial institutions under the jurisdiction of the DFS “to establish and maintain a cybersecurity program designed to protect consumers and ensure the safety and soundness of New York State’s financial services industry.”

The Cyber Rules will become effective on March 1, 2017, and covered entities will be required to submit annual certificates of compliance to the DFS beginning February 15, 2018.

Take Action Now to Ensure DFS Compliance

Ascendant creates tailored and risk-based policies and procedures for firms designed to address the DFS Cybersecurity Regulation to include the following areas to the extent applicable to the Company’s operations:

  • Information Security
  • Data Governance and Classification
  • Asset Inventory and Device Management
  • Access Controls and Identity Management
  • Business Continuity and Disaster Recovery Planning and Resources
  • Systems Operations and Availability Concerns
  • Systems and Network Security
  • Systems and Network Monitoring
  • Systems and Application Development and Quality Assurance
  • Physical Security and Environmental Controls
  • Customer Data Privacy
  • Vendor and Third-Party Service Provider Management
  • Risk Assessment
  • Incident Response

For more information about how we can help you reach compliance with New York’s new DFS Cybersecurity requirements, contact us.

Related Content

Latest Content

A New View of How Technology Will Change the Emerging Crytpo-Economy

From the top of the world, it’s amazing what you can see.  I recently had the opportunity to travel to the United Arab Emirates to speak in Dubai at the 7th Edition of the Alternative Investment Management Summit. While I was there, I took a few moments to ride to the top of the Burj … Continued

SEC Retail Investor Focus Turns Towards Registered Investment Companies

Earlier this year when the SEC’s Office of Compliance Inspections and Examinations (“OCIE”) announced its 2018 examination priorities, OCIE stated that a core priority was to protect retail investors, including seniors and individuals saving for retirement. OCIE is now continuing this effort by focusing on mutual funds and exchanged-traded funds (together, the “Funds”) as the … Continued

SEC Alerts Investment Advisers to Review Solicitor Arrangements

On October 31, OCIE issued a new Risk Alert for investment advisers with solicitor arrangements. The SEC periodically releases risk alerts to notify the industry of deficiencies they are finding during examinations, and this latest alert puts investment advisers with solicitor arrangements on notice to check their solicitor agreements, policies and procedures, and disclosure documents. … Continued

Pennsylvania Sounds Warning Bell Over Client Credentials and Custody

The Pennsylvania Department of Banking and Securities (PDOBS) has indicated in recent guidance two concerns related to investment advisers using client credentials to access a custodial account(s). In the letter dated September 25, 2018, PDOBS indicates that the use of client credentials may create custody and is considered to be a dishonest and unethical practice. … Continued

San Diego 2018 Conference Gallery

Ascendant/CSS San Diego Conference Another compliance conference is in the books. We had a great time in San Diego, and we think our attendees did, too. We hope to see you in Miami! (Click on photos to view full size.)  

Mailing List

Subscribe to the Ascendant Compliance email list for the latest compliance resources, conferences, ComplianceCasts™, and more.

Loading form...

Contact Us

Ascendant works together with clients to identify and assess critical needs through customized plans. If you need assistance with compliance functions, regulatory services, cybersecurity or technology tools, we’d love to speak with you.