No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Cybersecurity

NYDFS Cybersecurity Requirements Are Now Fully Mandatory – Are You Ready?

For Financial Services Companies, One Final Phase Remains

by Michael Magrath
April 23, 2019
in Cybersecurity, Featured, Financial Services
15th circled in red on calendar and marked "deadline"

The NYDFS cybersecurity requirements, first enacted in 2017, are now fully in place and helping to address glaring shortcomings in data security. OneSpan’s Michael Magrath provides a quick recap of the fourth and final phase of mandates to help organizations ensure they’re up to speed.

New York’s reputation as the “financial capital of the world” is legendary. The New York State Department of Financial Services (NYDFS) regulates approximately 1,500 financial institutions and banks, as well as over 1,400 insurance companies, and the overwhelming majority of financial institutions conducting business in the U.S. fall under NYDFS regulation – including international organizations operating in New York.

The NYDFS Cybersecurity Requirements for Financial Services Companies (23 NYCRR 500), first enacted in 2017, are now fully in place, and all banks and financial services companies operating in the state must secure their assets and customer accounts against cyberattacks in compliance with its mandates.

The regulation requires financial institutions to implement specific policies and procedures to better protect user data and to implement effective third-party risk management programs with specific requirements – both digital and physical.

While the financial sector has long been ahead of other sectors in terms of data protections, the regulation is nonetheless helping to address glaring shortcomings in data security by requiring specific reporting procedures, cybersecurity policies, the designation of a Chief Information Security Officer (CISO), incident response and notification requirements, penetration testing, security awareness training and board-level communication.

Among the regulation’s mandates is the use of multifactor authentication “to protect against unauthorized access to Nonpublic Information or Information Systems” – with nonpublic information being the individual’s private information.

By not mandating a specific technology solution, the regulation helps allow financial institutions to continue to deploy the latest and most advanced solutions to protect data and assets. From an authentication standpoint, financial institutions can continue to deploy user-friendly, secure, frictionless solutions such as adaptive authentication to meet the multifactor authentication requirements that are mandated for all individuals with certain access levels.

Section 500.12 – Multifactor Authentication (MFA)

  • Based on the risk assessment, each organization must use effective controls, which can include risk-based authentication or multifactor authentication, in an effort to protect nonpublic information or information systems from unauthorized access.
  • MFA must be used for any individual accessing the organization’s internal networks from an external network (the only exception is if the organization’s CISO has given written approval for the use of equivalent or more secure access controls).

This is a necessary step-up in security posture, because as reported in Verizon’s 2017 Date Breach Investigations Report, “81 percent of hacking-related breaches leverage stolen and/or weak passwords.” With that in mind, there is a strong likelihood that if multifactor authentication was mandated, it may have prevented or sharply reduced the impacts of many of the data breaches we’ve seen over the last few years.

The last of the four phases of implementation has just come into effect, marking the end of the two-year transition period. It specifies that “the organization must document written procedures and policies to ensure third-party risk management programs protect information systems and nonpublic information.” Among the Phase 4 key provisions and requirements for the financial services provider’s own systems and processes are:

  • Written policies and procedures designed to protect users from risks posed by third-party service providers;
  • The identification and risk assessment of third-party service providers;
  • Minimum cybersecurity practices required of third parties;
  • The evaluation of third-party cybersecurity practices through due diligence; and
  • Periodic risk-based assessments.

There are also policies and procedures for third-party service providers, including guidelines for due diligence and contractual protections, addressing:

  • Access controls, including multifactor authentication;
  • Encryption;
  • Notifications to be provided to the primary organization in response to a cybersecurity event; and
  • Representations and warranties for a third party’s cybersecurity policies and procedures.

Though Phase 4 must be implemented this year, there is one final deadline still looming: Banks and financial institutions are not required to certify their compliance with the regulation’s third-party service provider risk management provisions until February 15, 2020.


Tags: BankingDue Diligence
Previous Post

A Compliance Playbook for “Operation Varsity Blues”

Next Post

Gartner: Just 4 in 10 Privacy Executives are Confident About Adapting to New Regulations

Michael Magrath

Michael Magrath

Michael Magrath is vice president of global standards and regulations at OneSpan and is responsible for aligning OneSpan’s solution roadmap with standards and regulatory requirements globally. He is co-chair of the FIDO Alliance’s government deployment working group and is on the board of directors of the Electronic Signature and Records Association (ESRA). He also served as a member of the board of directors for the Identity Ecosystem Steering Group’s (IDESG) and was chair of the Health Information Management Systems Society (HIMSS) identity management task force. Prior to OneSpan, he served as director for identity solutions for DrFirst, a leading U.S. health IT solution provider and focused on streamlining and securing the identity management process for healthcare providers nationwide and increasing the adoption of electronically prescribing controlled substances (EPCS).

Related Posts

hottest takes

The Hottest Compliance Takes of 2022

by Staff and Wire Reports
December 14, 2022

Nobody was canceled for anything they wrote for our pages in 2022 — at least that we know of. But...

North American – 14th Third Party Risk Management And Oversight For Financial Institutions

North American – 14th Third Party Risk Management And Oversight For Financial Institutions

by Aarti Maharaj
November 28, 2022

This marcus evans conference will showcase best practices to strengthen third party risk management frameworks, through procurement of new vendors,...

Credit Risk Discipline Tools – Implementing 14 Tools for Credit Risk Management

Credit Risk Discipline Tools – Implementing 14 Tools for Credit Risk Management

by Aarti Maharaj
November 3, 2022

This webinar will help you to build, implement, and maintain strong credit culture. This course offers 14 tools to test...

amazon web services

Dark Clouds: Capital One Proves Financial Institutions Can’t Rely on Providers for Security

by Michael Volkov
September 7, 2022

Going by the online handle “erratic,” a former Amazon software engineer conducted an extensive hacking scheme that gave her access...

Next Post
illustration of woman with superwoman as her shadow

Gartner: Just 4 in 10 Privacy Executives are Confident About Adapting to New Regulations

Compliance Job Interview Q&A

Jump to a Topic

AML Anti-Bribery Anti-Corruption Artificial Intelligence (AI) Automation Banking Board of Directors Board Risk Oversight Business Continuity Planning California Consumer Privacy Act (CCPA) Code of Conduct Communications Management Corporate Culture COVID-19 Cryptocurrency Culture of Ethics Cybercrime Cyber Risk Data Analytics Data Breach Data Governance DOJ Download Due Diligence Enterprise Risk Management (ERM) ESG FCPA Enforcement Actions Financial Crime Financial Crimes Enforcement Network (FinCEN) GDPR HIPAA Know Your Customer (KYC) Machine Learning Monitoring RegTech Reputation Risk Risk Assessment SEC Social Media Risk Supply Chain Technology Third Party Risk Management Tone at the Top Training Whistleblowing
No Result
View All Result

Privacy Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2022 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Career Connection
  • Events
    • Calendar
    • Submit an Event
  • Library
    • Whitepapers & Reports
    • eBooks
    • CCI Press & Compliance Bookshelf
  • Podcasts
  • Videos
  • Subscribe

© 2022 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT