Filter by Category
Filter by Category

How to Prepare for the NYDFS Cybersecurity Regulation


Collaborating Author: Kenneth Riley

Throughout 2018, senior leadership – and even the boards – of major financial institutions in New York will be discussing cybersecurity. This is something most security professionals have been hoping would happen for years, and the New York Department of Financial Services (NYDFS) made this a reality starting on March 1st, 2017. 

Each company’s Chief Information Security Officer (CISO) -if you don’t have one appointed yet, you may soon – will now be responsible for delivering an annual report to the board on the state of their security program.  

NYDFS made the significant change from just simply providing cybersecurity guidance, like the well-know NIST Cybersecurity Framework, to issuing mandatory regulation for all New York based financial services organizations. The regulation will require financial institutions to make changes to their organization’s people, processes and technologies. Here’s a quick overview of what each organization will be expected to accomplish prior to the first mandatory reporting date of February 15th, 2018: 


  1. Appoint a CISO
  2. Provide detailed training on cybersecurity risks and regulations
  3. Hire individuals with cybersecurity expertise
  1. Establish a leadership-supported cybersecurity program
  2. Develop cybersecurity policies and procedures
  3. Implement controls over the secure development of systems/applications
  4. Perform periodic risk assessments
  5. Establish a third-party risk management program
  6. Develop an incident response program including a detailed plan and training 
  7. Institute data retention and disposal standards
  1. Perform penetration testing and vulnerability scanning 
  2. Create a reliable audit trail
  3. Limit access to privileged roles and non-public information 
  4. Review system access on a regular basis 
  5. Enable multi-factor authentication
  6. Monitor user activity 
  7. Protect data in transit and storage with encryption

Over the next several months, organizations are going to be responsible for reporting on the state of their cybersecurity program as the 12-month (March 1st, 2018) and 18-month transitional periods (September 3rd, 2018) end. While many of these regulatory requirements are not new to information security teams, ensuring that organizations meet the nuance and not just the letter of the law will require changes to people, processes and even technology.  

The growing number of regulations over the protection of financial systems and data is a key indicator of how critical a strong cybersecurity program is and the scrutiny that cybersecurity programs are coming under from big regulators. NYDFS may be the first big regulator to mandate cybersecurity in the finance industry but other states have already begun to follow suit. So, if you are in New York, we recommend following the guidance above. And if you aren’t in New York, then this should definitely be on your radar because there is a good chance it’s coming your way.


Click here to learn more about cybersecurity  and how you can be prepared

How CECL Impacts AFS and HTM Debt Securities
5 Things Every Financial Services Professional Needs To Know For 2018

About Author

Cameron Over
Cameron Over

Cameron has approximately 15 years of experience leading organizations through cybersecurity technical and regulatory compliance requirements. She has led many cybersecurity technical and regulatory projects for both federal and commercial clients, assisting them in the secure configuration, network monitoring, design, and remediation of their most trusted information systems. Cameron is a Certified Information Systems Security Professional (CISSP). Click here to read Cameron's full bio.

Related Posts
Why non-public companies need a strong internal control environment
Why non-public companies need a strong internal control environment
Innovate with Your Head in The Clouds: Balancing Cloud Risk with Innovation
Innovate with Your Head in The Clouds: Balancing Cloud Risk with Innovation
Why Details Matter When Internal Audit Assesses Corporate Culture
Why Details Matter When Internal Audit Assesses Corporate Culture