No Result
View All Result
SUBSCRIBE | NO FEES, NO PAYWALLS
MANAGE MY SUBSCRIPTION
NEWSLETTER
Corporate Compliance Insights
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe
Jump to a Section
  • At the Office
    • Ethics
    • HR Compliance
    • Leadership & Career
    • Well-Being at Work
  • Compliance & Risk
    • Compliance
    • FCPA
    • Fraud
    • Risk
  • Finserv & Audit
    • Financial Services
    • Internal Audit
  • Governance
    • ESG
    • Getting Governance Right
  • Infosec
    • Cybersecurity
    • Data Privacy
  • Opinion
    • Adam Balfour
    • Jim DeLoach
    • Mary Shirley
    • Yan Tougas
No Result
View All Result
Corporate Compliance Insights
Home Data Privacy

Using the New NYDFS Cybersecurity Regulation to “Lock the Data Vault” for Financial Institutions

Requirements Around Third-Party Risk Management

by Matan Or-El
April 8, 2019
in Data Privacy, Featured
binary code in bank vault

The New York Department of Financial Services (NYDFS) requires all regulated entities to adopt the core requirements of a cybersecurity program. Panorays’ Matan Or-El discusses the regulation’s impact on financial institutions.

The cybersecurity landscape is becoming increasingly volatile for financial institutions that are scrambling to fight off a barrage of cyberattacks like bots, credential stuffing, account takeovers and more. Those attacks are taking the form of banking Trojans along with ATM and mobile malware. With open banking on the horizon, financial institutions will increase their risks incrementally with the new services they offer. The protection of personal data, accounts and reputation is at stake.

With the deluge of breaches in the last year, it is a wonder that any personal data is left to protect that hasn’t already been sold on the dark web. These devastating trends have prompted lawmakers in New York State to institute the New York State Department of Financial Services Cybersecurity Regulation (NYDFS). This new regulation, which went into effect in March, outlines cybersecurity standards for financial institutions including credit unions, health insurers, investment companies, licensed lenders, life insurance companies, mortgage brokers, savings and loans associations, private bankers, offices of foreign banks and commercial banks.

The new regulation requires organizations to review their security risk and develop policies that meet compliance standards relating to data governance, classification, access controls, system monitoring and incident response. Organizations that are regulated are now required to adhere to these guidelines:

  • Consumers’ private data must be protected by a cybersecurity initiative
  • The board of directors or a senior officer must produce cybersecurity policy
  • Protection of data and systems must be overseen by a CISO
  • Third-party providers must have appropriate security protections
  • Data breach and cyberattack plans must be in place to ensure the protection of financial institutions’ and customers’ data

Organizations need to put all the above into place or face possible fines and business disruptions.

What NYDFS Requires When Working with Third Parties

One of the most significant outcomes of NYDFS is how it will change the way financial institutions manage and secure the supply chain.

In 2018, supply chain attacks were nearly double the amount of the year before, according to the Symantec Internet Security Threat Report.* Clearly, cybercriminals are testing and finding successful new attack strategies and then rolling them out across industries. They are escalating their efforts and maximizing their results with fewer attacks. These attacks have put pressure on the entire supply chain – especially on smaller banks that may not have the IT expertise to defend themselves.

The new regulation requires third-party suppliers to meet minimum cybersecurity requirements. Additionally, financial organizations are required to evaluate the cybersecurity posture of their third parties on a regular basis by following precise policies and procedures. These policies provide guidelines that include using multi-factor authentication, encryption and other updated technologies to accelerate the detection of attacks and fraudulent transactions, as well as notifying the state, customers and suppliers of any breaches.

With more complicated procedures and possibly hundreds of suppliers, it is no longer possible to manage third-party vendors with paper. The latest technologies are required to not only vet third parties and their partners, but also continuously scan these partners for vulnerabilities cybercriminals could exploit. The next step is alerting partners to these vulnerabilities and resolving them. While it takes significant effort to manage these relationships, new automated technologies are able to do much of the heavy lifting. 

Complying With NYDFS

Complying with NYDFS means that financial institutions must have a much more intimate knowledge of their third-party suppliers. They will have to know how critical these relationships are, as well as what data they have access to. Limiting access to critical data is a step toward shoring up the risk posture of the entire supply chain. Banks should demand and enforce data removal after a certain period of time and limit access when relevant. Third parties must also provide visibility into how any data accessed is being utilized.

Even before engaging a new supplier, financial institutions should review a vendor’s security posture and understand the systems they are running and the protocols and even security technologies they have in place. Should a cybersecurity problem present itself, banks should be able to engage with the supplier and pinpoint the issue so that the supplier is aware of the problem, understands the issue and knows how to fix it. Suppliers should also allow organizations to view their breach logs on an ongoing basis.

Financial institutions will have to clearly communicate to all their suppliers the liabilities and consequences of not adhering to the new regulation. Every part of the supply chain will now be held accountable. By February 15, 2020, organizations will need to demonstrate their compliance with the new regulation. This job will fall to the board of directors or a senior officer. This means that cybersecurity, including third-party cybersecurity, will need to be a priority. Automation is the key to defending against any compliance violations while securing the supply chain at the same time.

* https://www.symantec.com/blogs/threat-intelligence/istr-24-cyber-security-threat-landscape  


Tags: AutomationBankingData BreachSupply ChainThird Party Risk Management
Previous Post

How Enterprises Can Use Encryption to Protect Linux Servers and Support Compliance Efforts

Next Post

Substantial Support from State Attorneys General on Identity Theft Rules

Matan Or-El

Matan Or-El

Matan Or-El is co-founder and CEO of Panorays. He established his first startup at the age of 18, one of the first local media & entertainment sites. Matan also co-founded a location-based service for mobile devices and a security startup in the authentication field. He started Panorays with the goal of improving the industry’s cyber-resilience. Matan previously lead the infrastructure team at Imperva and is recognized as one of Israel’s 40 under 40.

Related Posts

polluted water

PFAS Reporting Window Delayed, but Waiting to Act on ‘Forever Chemicals’ Could Be Risky

by Cally Edgren
June 9, 2025

Technical issues on government portal give companies short reprieve

sudden change

When Deregulation Means More Work: The Compliance Professional’s Paradox

by Elaine F. Duffus
June 3, 2025

Whipsaw changes can multiply workload for compliance teams

boundary line on roadway

Reckless or Just Unprepared? How UK Tribunals Are Drawing Lines on Financial Integrity

by David Hamilton
June 2, 2025

Courts increasingly distinguish between personal failings and systemic compliance gaps when assessing whether financial professionals acted with integrity

GAN Integrity TPRM & AI

Where TPRM Meets AI: Balancing Risk & Reward

by Corporate Compliance Insights
May 13, 2025

Is your organization prepared for the dual challenges of AI in third-party risk management? Whitepaper Where TPRM Meets AI: Balancing...

Next Post
thief stealing facial profile from fingerprint

Substantial Support from State Attorneys General on Identity Theft Rules

No Result
View All Result

Privacy Policy | AI Policy

Founded in 2010, CCI is the web’s premier global independent news source for compliance, ethics, risk and information security. 

Got a news tip? Get in touch. Want a weekly round-up in your inbox? Sign up for free. No subscription fees, no paywalls. 

Follow Us

Browse Topics:

  • CCI Press
  • Compliance
  • Compliance Podcasts
  • Cybersecurity
  • Data Privacy
  • eBooks Published by CCI
  • Ethics
  • FCPA
  • Featured
  • Financial Services
  • Fraud
  • Governance
  • GRC Vendor News
  • HR Compliance
  • Internal Audit
  • Leadership and Career
  • On Demand Webinars
  • Opinion
  • Research
  • Resource Library
  • Risk
  • Uncategorized
  • Videos
  • Webinars
  • Well-Being
  • Whitepapers

© 2025 Corporate Compliance Insights

Welcome to CCI. This site uses cookies. Please click OK to accept. Privacy Policy
Cookie settingsACCEPT
Manage consent

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.
CookieDurationDescription
cookielawinfo-checbox-analytics11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checbox-functional11 monthsThe cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checbox-others11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-necessary11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-performance11 monthsThis cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
viewed_cookie_policy11 monthsThe cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.
Functional
Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.
Performance
Performance cookies are used to understand and analyze the key performance indexes of the website which helps in delivering a better user experience for the visitors.
Analytics
Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.
Advertisement
Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.
Others
Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.
SAVE & ACCEPT
No Result
View All Result
  • Home
  • About
    • About CCI
    • CCI Magazine
    • Writing for CCI
    • Career Connection
    • NEW: CCI Press – Book Publishing
    • Advertise With Us
  • Explore Topics
    • See All Articles
    • Compliance
    • Ethics
    • Risk
    • FCPA
    • Governance
    • Fraud
    • Internal Audit
    • HR Compliance
    • Cybersecurity
    • Data Privacy
    • Financial Services
    • Well-Being at Work
    • Leadership and Career
    • Opinion
  • Vendor News
  • Library
    • Download Whitepapers & Reports
    • Download eBooks
    • New: Living Your Best Compliance Life by Mary Shirley
    • New: Ethics and Compliance for Humans by Adam Balfour
    • 2021: Raise Your Game, Not Your Voice by Lentini-Walker & Tschida
    • CCI Press & Compliance Bookshelf
  • Podcasts
    • Great Women in Compliance
    • Unless: The Podcast (Hemma Lomax)
  • Research
  • Webinars
  • Events
  • Subscribe

© 2025 Corporate Compliance Insights