FB pixel

NYDFS finalizes cybersecurity regulations for New York financial institutions


The New York State Department of Financial Services (NYDFS) recently issued cybersecurity regulations that require New York banks, insurance companies and other financial institutions to create and maintain a cybersecurity program designed to protect consumers and the financial services industry at large, according to a report by Mondaq.

The regulations, which take effect on March 1, require all applicable entities subject to come into compliance with most requirements within 180 days of the effective date. However, certain requirements allow up to two years after the effective date.

Initially proposed last September and revised after two rounds of public comment, the new cybersecurity guidelines mirror several existing federal data security requirements for financial institutions while being somewhat broader.

The new requirements rely on a definition of “Nonpublic Information” that is more comprehensive than the definition of “customer information” under the federal Interagency Guidelines Establishing Information Security Standards.

The regulations apply to “covered entities”, which includes any individual or any non-government entity that operates under or is required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the New York State Banking Law, Insurance Law or Financial Services Law.

The regulations impose obligations to report cybersecurity incidents to NYDFS, an annual certification requirement concerning compliance with the regulations, requirements concerning oversight of third-party service providers, obligations concerning use of multi-factor authentication and encryption, and requirements concerning audit trail maintenance and document destruction.

The risk-based requirements include minimum standards wherein covered entities are obligated to continually update their cybersecurity program to reflect new technological advances.

All New York financial institutions must implement security measures to prevent and avoid cyber breaches, including controls relating to the governance framework for a cybersecurity program.

Another key requirement is the implementation of risk-based minimum standards for technology systems, including access controls, data protection including encryption and penetration testing.

Covered entities must have minimum standards in place that address any cyber breaches, including an incident response plan, preservation of data to respond to such breaches and notice to DFS of material events.

Finally, New York financial institutions are required to provide identification and documentation of material deficiencies, remediation plans and annual certifications of regulatory compliance to DFS.

Starting February 15, 2018, all covered entities must annually prepare and submit to the Superintendent of Financial Services a “Certification of Compliance with New York State Department of Financial Services Cybersecurity Regulations”.

Earlier this month, New York banks, insurance companies and other financial institutions said they are preparing to adopt multi-factor authentication including biometrics in compliance with the NYDFS’s new cybersecurity rules.

Article Topics

 |   |   |   | 

Latest Biometrics News


Biometrics developers dance with data privacy regulations continues

Biometrics controversy and investments are often found side by side, as seen in many of this week’s top stories on…


EU AI Act should revise its risk-based approach: Report

Another voice has joined the chorus criticizing the European Union’s Artificial Intelligence Act, this time arguing that important provisions of…


Swiss e-ID resists rushing trust infrastructure

Switzerland is debating on how to proceed with the technical implementation of its national digital identity as the 2026 deadline…


Former Jumio exec joins digital ID web 3.0 project

Move over Worldcoin, there’s a new kid on the block vying for the attention of the digital identity industry and…


DHS audit urges upgrade of biometric vetting for noncitizens and asylum seekers

A recent audit by the DHS Office of Inspector General (OIG) has called for the Department of Homeland Security (DHS)…


Researchers spotlight Russia’s opaque facial recognition surveillance system

In recent years, Russia has been attracting attention for its use of facial recognition surveillance to track down protestors, opposition…


Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

Most Read This Week

Featured Company

Biometrics Insight, Opinion

Digital ID In-Depth

Biometrics White Papers

Biometrics Events