If you’re a business that provides financial services in the state of New York, you’re required to be in compliance with a cybersecurity regulation from the New York State Department of Financial Services (NYDFS).
The NYDFS cybersecurity regulation dictates how you handle and protect sensitive information and secure your network from potential breaches as well as the cybersecurity records you need to keep on hand.
Since this regulation is relatively new, first going into effect on March 1, 2017, many of those in the financial services industries in NY are still getting their data security measures and documentation up to speed to ensure they’re in proper compliance with the new rules.
One of our most popular services at Triada Networks is our IT security and compliance for financial firms. We take the guesswork out of meeting NYDFS (and other) regulations and help NY and NJ financial services businesses with airtight data security so they can put their full effort into their business instead of worrying about the strength of their cybersecurity.
Have you been wondering… Is your firm required to comply with NYDFS? Is there any exemption for smaller businesses? What’s involved with their data security requirements?
We’ve got answers to those common questions and more coming up in this overview of NYDFS for New York financial firms. If you’re working in the financial industry in NY state, you’ll want to read on to learn important information.
Who is Required to Comply with the NYDFS Security Regulation?
The New York State Department of Financial Services defines what they call a “covered entity” (aka. Anyone that needs to comply with this regulation) as follows:
“Any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law, or Financial Services Law.”
So, who does that mean? Here are a few examples of organizations that are required to comply with this regulation:
- Investment Companies
- Licensed Lenders
- Life Insurance Companies
- Credit Unions
- Private Bankers
- Health Insurers
- Mortgage Brokers
- Savings & Loans
- Commercial Banks
There are some limited exemptions to the NYDFS cybersecurity regulation which relieve certain covered entities from SOME, but not all, of the regulatory requirements. If you’re a financial services firm in New York and fall under the following provisions, you can get a limited exemption.
- Fewer than 10 employees working in NYS
- Less than $5 million in gross annual revenue
- Less then $10 million in year-end total assets
- Do not control any information systems and nonpublic information
- Captive insurance companies that don’t control nonpublic information (other than relating to a parent company)
What is a Company Required to Do Under NYDFS?
The NYDFS IT security regulation is as much about business continuity and disaster recovery as it is about consumer data protection.
It was created to both protect New York consumer information and the financial service companies at risk of a data breach that could potentially cause them large financial losses.
Financial services firms are 300 times more likely to become a victim of a cyberattack than other industries. (ITSP magazine)
Besides being targeted more by cyber criminals, those in the financial industry often have larger costs for a security breach. The average cost for other businesses for every lost or stolen record is $225, but for those in finance, it’s $336 per record.
Requirements Under the NYDFS for Organizations
If you’re required to comply with this New York State data security regulation, you’ll need to have in place a comprehensive Cybersecurity Policy that is based upon a risk assessment. Here are a few of the areas this policy should cover:
- Information security and customer data privacy
- Asset inventory and device management
- Access controls/identity management
- Business continuity and disaster recovery
- Systems and network security and monitoring
- Systems and application development and quality assurance
- Physical security and environmental controls
- Management of Vendors and Third-Party Service Providers
- Incident response
Some Key Regulation Takeaways
The NYDFS cybersecurity regulation for financial services companies includes 12 pages of requirements. Here are a few key highlights that you’ll want to be aware of.
Annual Compliance Certification: Covered entities are required to submit a written statement of compliance to the NYDFS superintendent annually by February 15th.
Cybersecurity Awareness Training: You’re required to provide regular awareness training on cybersecurity to all personnel.
Multi-Factor Authentication: Anyone accessing your internal networks from an external network, unless having prior approval in writing from your Chief Information Security Officer (CISO), is required to use multi-factor authentication.
Data Retention Limits: Each covered entity is required to have policies and procedures for the secure disposal on a periodic basis of nonpublic information that’s no longer necessary for business operations.
Incident Response Plan: You’re required to have a written incident response plan that addresses seven areas connected to responding to a data breach incident.
Contact Triada Networks for a Free Security Scorecard
Unsure if you’re fully in compliance with the NYDFS cybersecurity regulation for financial services companies?
Schedule a free consultation today and we’ll give you a free small business security scorecard and a customized proposal in just 24 hours!