Kevin Williams | VP, Americas Sales
More About This Author >
Kevin Williams | VP, Americas Sales
More About This Author >
The next major deadline for compliance with the updated cybersecurity rules from the New York State Department of Financial Services (NYDFS) is November 1, 2024.
These new rules date back to March 1, 2017, when the NYDFS implemented comprehensive cybersecurity regulations for financial services companies and other covered entities. The regulations were most recently updated on November 1, 2023, with phased effective dates starting on December 1, 2023. Several key provisions of the amended regulations will take effect on November 1, 2024, with additional measures rolling out in 2025.
The cybersecurity regulations apply to entities overseen by the NYDFS, such as financial institutions, insurance companies, agents, and brokers, as well as banks, trusts, mortgage lenders and brokers, money transmitters, check cashers, and other related businesses. Under the revised regulations, larger entities classified as Class A companies face additional obligations, while smaller businesses are exempt from some specific requirements.
The Requirements
By November 1, banks and other firms under the department's jurisdiction must demonstrate, among other requirements, that they must:
- Have a CISO who regularly reports significant cyber incidents to senior management. Additionally, the senior governing body must possess the expertise to oversee the company's cybersecurity program.
- Encrypt "non-public" data both at rest and in motion or use effective alternative compensating controls for information at rest if approved by the CISO in writing. The feasibility of encryption and effectiveness of the compensating controls shall be reviewed by the CISO at least annually.
- Update the incident response plan to include procedures such as the internal process for responding to cybersecurity events, recovery from backups, and conducting a root cause analysis after an event.
- Implement a business continuity and disaster recovery plan that complies with specific requirements and ensures backups are available to restore critical operations.
- Train to employees responsible for executing the incident response and disaster recovery plans, ensuring they understand their roles and responsibilities.
- Test employees responsible for these plans to assess their understanding of their roles and responsibilities.
- Conduct annual tests of the incident response plan, disaster recovery plan, and backup systems.
NYDFS-regulated companies should review their cybersecurity policies, practices, and training to ensure they comply with the amended regulations by November 1, 2024.
The Data Security Challenge
Thales recently released the 2024 Thales Data Threat Report – Financial Services Edition which highlights the latest data security challenges and threats to financial services organizations. Some of the key findings from the report include:
- The percentage of financial services organizations reporting a breach in the last 12 months decreased from 29% in 2021 to 14% in 2024.
- About one in five financial services organizations (18%) reported that they have experienced a ransomware attack.
- Human error was the leading cause of cloud-based data breaches.
Achieving NYDFS Compliance
Thales’ solutions can help Financial Institutions comply with NYDFS by simplifying compliance and automating security, reducing the burden on security and compliance teams. We help address essential cybersecurity requirements under NYDFS Part 500, including:
- Encrypting and monitoring access to non-public information
- Providing an audit trail to detect and respond to cybersecurity events
- Managing access privileges and providing multi-factor authentication
- Securing development of applications
- Assessing risk, discovering and classifying sensitive data
- Managing third party service provider risk
- Securing disposal of information
Download a copy of the 2024 Thales Data Threat Report – Financial Services Edition, and learn more about Thales solutions for NYDFS Compliance.