No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe
Jump to a Section
  • At the Office
    • Ethics
    • HR Compliance
    • Leadership & Career
    • Well-Being at Work
  • Compliance & Risk
    • Compliance
    • FCPA
    • Fraud
    • Risk
  • Finserv & Audit
    • Financial Services
    • Internal Audit
  • Governance
    • ESG
    • Getting Governance Right
  • Infosec
    • Cybersecurity
    • Data Privacy
  • Opinion
    • Adam Balfour
    • Jim DeLoach
    • Mary Shirley
    • Yan Tougas
No Result
View All Result
Corporate Compliance Insights
Home Compliance

Bringing NYDFS Compliance into Focus

by Roman Blachman
November 1, 2017
in Compliance, Featured
magnifying glass on paper

New Regulations Bring New Challenges

The New York Dept. of Financial Services (DFS) Cybersecurity Requirements force companies to look into ways to prepare and tactics to navigate new regulations. This risk-driven regulation which requires financial services institutions, regulated by (DFS) to establish and maintain a cybersecurity program that will protect both customers’ private data and the technology that supports it.

 

The New York State Department of Financial Services (NYDFS) has recently enacted a new cybersecurity regulation aimed at protecting financial services organizations and their data. The new regulation known as 23 NYCRR 500 went into effect earlier in the year, but the 180-day transition period ended on August 28, meaning organizations now need to be officially in compliance. More deadlines are approaching in 2018 for other sections of the 500. Of course, CISOs at financial services firms are no strangers to regulation with having to comply with the established control frameworks: NIST, COBIT, SSAE and specific regulations such as PCI-DSS and SEC OCIE to name a few.

However, the NYDFS requirements could become challenging for few reasons. First, the reach is significant. While it is a state regulation, it will naturally apply to companies that do business in New York including businesses headquartered outside the state as well as international companies. Additionally, the regulation requires organizations to assure that the third-party organizations that they do business with are secure as well.

In addition to its official reach, NYDFS is both forward-looking and specific in terms of the section. The regulation establishes a risk-based approach to a variety of security controls and even specifies instances where multifactor authentication is needed.

Let’s look at some of the particulars:

Continuous Monitoring

The NYDFS is very specific in terms of how organizations will need to identify risk. Two choices: 1. Establish continuous monitoring for internal and external threats or  2. Submit to a regular schedule of penetration testing and vulnerability testing. By adopting continuous monitoring, organizations can simplify their compliance process and remove the need to document pen tests and vulnerability testing.

There are security solutions which offer simple, low-friction methods to establish continuous, real-time monitoring in an environment. And while regular pen testing is always a good idea, anything that makes documenting compliance easier is always a good thing. But more importantly, implementing a solution that provides visibility and control along with continuous monitoring will make it easier for organizations to meet other NYDFS requirements as well.

User and Device Control

The NYDFS also requires organizations to monitor and control the entities in their environment. This includes device-centric requirements to perform asset inventory and device management as well as more user-centric requirements for access controls and identity management.

In this instance, it is imperative to automatically keep track of users, service accounts and all additional related devices.  Simply being able to document up-to-the-minute visibility of these entities can be very powerful during an audit. While this would monitor users, accounts and devices, it would also make it easy to set policies to control access based on any number of factors including the user role, risk or type of device in use. This combination of visibility and auditable policy enforcement puts organizations on very solid ground when it comes to documenting compliance.

Context Based on Risk

The NYDFS requirements repeatedly call for organizations to identify and manage risk in the environment. Specifically, the need to establish “risk-based policies, procedures and controls designed to monitor the activity of Authorized Users and detect unauthorized access or use of, or tampering with, Nonpublic Information…”

Additionally, the regulation requires risk-based authentication controls and has very pointed requirements for the use of multifactor authentication. Risk-based authentication is defined as a system that “detects anomalies or changes in the normal use patterns of a Person and requires additional verification of the Person’s identity when such deviations or changes are detected.” The document even calls out the need to trigger multifactor authentication for any connections to internal assets from an outside network.

No security product is a silver bullet for regulatory issues, but thanks to a few, it’s easier to keep up with the NYDFS. For example, it’s entirely possible to have all entities in the network constantly monitored and scored based on their observed risk.  Risk could be recognized based on environmental factors such as the use of a weak password, use of an unmanaged device, or a connection from an outside network. Having a solution that learns the behavior of every entity allows the ability to recognize and raise the risk in response to abnormal behavior. Any of these actions or the composite risk score can be used to drive a policy-based response such as a multifactor authentication challenge or an outright block.

Review the NYDFS closely and consider the extent of its guidelines for continuous monitoring, user and device control and context based risk.  Aligning with the core concepts in the NYDFS regulation will help to reduce your risks, align your security and avoid steep penalties for violations.


Tags: Cyber Risk
Previous Post

What Do Basketball Recruiting and Procurement Fraud Have in Common?

Next Post

TRACE: MCI’s Accounting Fraud

Roman Blachman

Roman Blachman

Roman Blachman is Chief Technology Officer and co-founder of Prēempt pioneer of the industry’s first Behavioral Firewall that helps enterprises preempt malicious breaches and insider threats in real-time. He is responsible for product strategy and research and development. Prior to Preempt, Roman was a leading Apple iOS mobile security strategist and researcher at Lacoon Mobile Security (acquired by Check Point Software Technologies). Roman also served over ten years in the elite Israeli Defense Forces in Research and Development where he led a cybersecurity product development teams and a mobile cyber-security research team. He was also the Head of Israeli Intelligence Branch where he received an Excellence Award in 2006.  Roman is an expert in enterprise grade security systems.  

Related Posts

news roundup green bars

In-House Counsel Salary Increases Slow

by Staff and Wire Reports
May 2, 2025

Majority of execs predict rise in fincrime in ’25

data abstract green purple

66% of CISOs Worry Cyber Threats Are More Advanced Than Companies’ Defenses

by Staff and Wire Reports
April 25, 2025

US business sector falling behind in adoption of renewable energy

robot hand pointing to sky

Agentic AI Can Be Force Multiplier — for Criminals, Too

by Steve Durbin
April 21, 2025

How polymorphic malware and synthetic identities are creating unprecedented attack vectors

data abstract pixelated

GenAI Adoption Surging in Professional Services

by Staff and Wire Reports
April 18, 2025

Fewer than 1 in 3 organizations consistently meet cyber compliance standards

Next Post
credit card and lock

TRACE: MCI's Accounting Fraud

No Result
View All Result

Privacy Policy | AI Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Research
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2025 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT
No Result
View All Result
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe

© 2025 Corporate Compliance Insights