Friday, February 26, 2021
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
    • Compliance & Risk
    • Information Security
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
  • Home
  • About
    • About CCI
    • Writing for CCI
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Articles
    • See All Articles
    • NEW: COVID-Related
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Leadership and Career
  • Vendor News
  • Jobs
    • Compliance & Risk
    • Information Security
  • Events
    • Webinars & Events
    • Submit an Event
  • Downloads
    • eBooks
    • Whitepapers
  • Podcasts
  • Videos
  • Subscribe
No Result
View All Result
Corporate Compliance Insights
Home Cybersecurity

NYDFS Cybersecurity Requirements Are Now Fully Mandatory – Are You Ready?

For Financial Services Companies, One Final Phase Remains

by Michael Magrath
April 23, 2019
in Cybersecurity, Featured, Financial Services
15th circled in red on calendar and marked "deadline"

The NYDFS cybersecurity requirements, first enacted in 2017, are now fully in place and helping to address glaring shortcomings in data security. OneSpan’s Michael Magrath provides a quick recap of the fourth and final phase of mandates to help organizations ensure they’re up to speed.

New York’s reputation as the “financial capital of the world” is legendary. The New York State Department of Financial Services (NYDFS) regulates approximately 1,500 financial institutions and banks, as well as over 1,400 insurance companies, and the overwhelming majority of financial institutions conducting business in the U.S. fall under NYDFS regulation – including international organizations operating in New York.

The NYDFS Cybersecurity Requirements for Financial Services Companies (23 NYCRR 500), first enacted in 2017, are now fully in place, and all banks and financial services companies operating in the state must secure their assets and customer accounts against cyberattacks in compliance with its mandates.

The regulation requires financial institutions to implement specific policies and procedures to better protect user data and to implement effective third-party risk management programs with specific requirements – both digital and physical.

While the financial sector has long been ahead of other sectors in terms of data protections, the regulation is nonetheless helping to address glaring shortcomings in data security by requiring specific reporting procedures, cybersecurity policies, the designation of a Chief Information Security Officer (CISO), incident response and notification requirements, penetration testing, security awareness training and board-level communication.

Among the regulation’s mandates is the use of multifactor authentication “to protect against unauthorized access to Nonpublic Information or Information Systems” – with nonpublic information being the individual’s private information.

By not mandating a specific technology solution, the regulation helps allow financial institutions to continue to deploy the latest and most advanced solutions to protect data and assets. From an authentication standpoint, financial institutions can continue to deploy user-friendly, secure, frictionless solutions such as adaptive authentication to meet the multifactor authentication requirements that are mandated for all individuals with certain access levels.

Section 500.12 – Multifactor Authentication (MFA)

  • Based on the risk assessment, each organization must use effective controls, which can include risk-based authentication or multifactor authentication, in an effort to protect nonpublic information or information systems from unauthorized access.
  • MFA must be used for any individual accessing the organization’s internal networks from an external network (the only exception is if the organization’s CISO has given written approval for the use of equivalent or more secure access controls).

This is a necessary step-up in security posture, because as reported in Verizon’s 2017 Date Breach Investigations Report, “81 percent of hacking-related breaches leverage stolen and/or weak passwords.” With that in mind, there is a strong likelihood that if multifactor authentication was mandated, it may have prevented or sharply reduced the impacts of many of the data breaches we’ve seen over the last few years.

The last of the four phases of implementation has just come into effect, marking the end of the two-year transition period. It specifies that “the organization must document written procedures and policies to ensure third-party risk management programs protect information systems and nonpublic information.” Among the Phase 4 key provisions and requirements for the financial services provider’s own systems and processes are:

  • Written policies and procedures designed to protect users from risks posed by third-party service providers;
  • The identification and risk assessment of third-party service providers;
  • Minimum cybersecurity practices required of third parties;
  • The evaluation of third-party cybersecurity practices through due diligence; and
  • Periodic risk-based assessments.

There are also policies and procedures for third-party service providers, including guidelines for due diligence and contractual protections, addressing:

  • Access controls, including multifactor authentication;
  • Encryption;
  • Notifications to be provided to the primary organization in response to a cybersecurity event; and
  • Representations and warranties for a third party’s cybersecurity policies and procedures.

Though Phase 4 must be implemented this year, there is one final deadline still looming: Banks and financial institutions are not required to certify their compliance with the regulation’s third-party service provider risk management provisions until February 15, 2020.


Tags: banksdue diligence
Previous Post

A Compliance Playbook for “Operation Varsity Blues”

Next Post

Gartner: Just 4 in 10 Privacy Executives are Confident About Adapting to New Regulations

Michael Magrath

Michael Magrath is Director of Global Standards and Regulations at OneSpan and responsible for aligning OneSpan’s solution roadmap with standards and regulatory requirements globally. He is Co-Chair of the FIDO Alliance’s Government Deployment Working Group and is on the Board of Directors of the Electronic Signature and Records Association (ESRA).  He also served as a member of the Board of Directors for the Identity Ecosystem Steering Group’s (IDESG) and was Chair of the Health Information Management Systems Society (HIMSS) Identity Management Task Force. Prior to OneSpan, he served as Director for Identity Solutions for DrFirst, a leading U.S. health IT solution provider, and focused on streamlining and securing the identity management process for healthcare providers nationwide and increasing the adoption of electronically prescribing controlled substances (EPCS). Before DrFirst, Mike lead Gemalto’s market and business development activities in the U.S. government and healthcare markets and was a contributing member of the Health Record Banking Alliance, WEDI, HIMSS, the Medical Identity Fraud Alliance and the Secure ID Coalition. He served as Chairman of the Secure Technology Alliance’s (formerly the Smart Card Alliance) Health & Human Services Council from 2010-2014 where he led initiatives to stimulate the understanding, adoption, use and widespread application of smart card technology in healthcare. He served as an advisor to the American Medical Association supporting a Center for Disease Control grant to develop and test the viability of a “Health Security Card” to identify and expeditiously treat victims in the event of a disaster. Mike holds a Bachelor’s Degree in Psychology from the University of Massachusetts at Amherst.  He is married with three children and resides in Northern Virginia.

Related Posts

woman looking at horizon from mountain top

What’s on the Horizon for Anti-Corruption Enforcement?

February 25, 2021
cannabis leaf on $100 bill

The Intersection of EDD and Banking Cannabis

February 24, 2021
gold cup award on red background with stars

Ethisphere Announces the 2021 World’s Most Ethical Companies

February 23, 2021
illustration of hand holding flashlight illuminating hidden stairs

The Corporate Transparency Act: Pulling Back the Veil

February 23, 2021
Next Post
illustration of woman with superwoman as her shadow

Gartner: Just 4 in 10 Privacy Executives are Confident About Adapting to New Regulations

Access realtime data
Addressing systemic racism in the workplace SAI Global
Dynamic Risk Assessments with Workiva
Top 10 Risk and Compliance Trends

Special Coverage

Special COVID page graphic

Jump to a Topic:

anti-corruption anti-money laundering/AML Artificial Intelligence/A.I. automation banks board of directors board risk oversight bribery CCPA/California Consumer Privacy Act Cloud Compliance communications management Coronavirus/COVID-19 corporate culture crisis management cyber crime cyber risk data analytics data breach data governance decision-making diversity DOJ due diligence fcpa enforcement actions financial crime GDPR GRC HIPAA information security KYC/know your customer machine learning monitoring ransomware regtech reputation risk risk assessment Sanctions SEC social media risk supply chain technology third party risk management tone at the top training whistleblowing
No Result
View All Result

Privacy Policy

Follow Us

  • Facebook
  • Twitter
  • LinkedIn
  • RSS Feed

Category

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • Opinion
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Whitepapers

© 2019 Corporate Compliance Insights

No Result
View All Result
  • Home
  • About
  • Articles
  • Vendor News
  • Podcasts
  • Videos
  • Whitepapers
  • eBooks
  • Events
  • Jobs
  • Subscribe

© 2019 Corporate Compliance Insights