Compliance with New York Cybersecurity Requirements for Financial Services Companies Is Just the Start

Compliance with New York Cybersecurity Requirements for Financial Services Companies Is Just the Start

The New York State Department of Financial Services (NYDFS) has recognized the growing cyber threats to its financial services industry. Given the seriousness of this issue, the NYDFS put into effect on Mar. 1, 2017, the Cybersecurity Requirements for Financial Service Companies (23 NYCRR 500).

This first-of-its kind regulation is designed to promote the protection of customer information as well as the information technology systems of banking, insurance and financial services companies operating in the state of New York―from commercial banks to check cashers, health insurers to P&C insurance firms and mortgage brokers to loan servicers. The regulation requires that each company assess its risk profile and design a cybersecurity program that addresses those risks in a “robust” fashion. The most notable program requirements include the use of controls and data encryption for “non-public” information; annual certification confirming compliance with the regulations; incident reporting that documents all cybersecurity events; and the implementation of effective controls, such as multi-factor authentication (MFA), to protect against unauthorized access to private data and networks.   

For financial services companies in the state of New York that are in the midst of evaluating their MFA technology options, they should keep in mind that not all security vendors are created equal. It’s important for you to differentiate between vendors that “offer” and “own” MFA solutions and be wary of those that work with another third-party vendor to provide these services. Outsourced MFA services reduce the amount of control financial services companies will have and tend to drive prices higher.

The most powerful MFA solutions combine the power of behavioral profiling, device identification and calculated risk factors to transparently automate the authentication process. And, should a log-in attempt be identified as suspect, then adaptive authentication options come into play to provide another layer of protection.

Financial services companies in the state of New York must file their Certificate of Compliance for the calendar year 2018 no later than Feb. 15, 2019―with a deadline for complete compliance by Mar. 1, 2019.

Following New York’s lead, South Carolina is the latest state to institute cybersecurity regulation with its Insurance Data Security Act, which took effect at the start of 2019. Due to the serious and pervasive nature of data breaches, it’s only a matter of time before other states come on board with their own regulations. 

Stay tuned for those state updates here, and if you would like to learn more about how MFA can help your company meet security and compliance requirements, contact us.