Compliance Brief
Data Security Compliance With the NYDFS Cybersecurity Requirements for Financial Services
New York State Department of Financial Services Cybersecurity Requirements
The New York State Department of Financial Services (NYDFS) Cybersecurity Requirements, or 23 NYCRR Part 500 regulation, requires that regulated institutions implement, maintain, and annually certify that they have cybersecurity programs in place to protect the integrity of their information systems and customers’ data.
The regulation promotes the protection of customer information as well as the information technology systems of regulated entities. This regulation requires each company to assess its specific risk profile and design a program that addresses its risks in a robust fashion. Senior management must take this issue seriously, be responsible for the organization’s cybersecurity program, and file an annual certification confirming compliance with these regulations. HIPAA Rules and Regulations lay out three types of security safeguards required for compliance:
Regulation | Active Now
Any institution that needs a license, registration, or charter from the New York State Department of Financial Services is regulated by the NYDFS. Examples of covered entities include state-chartered banks, foreign banks licensed to operate in the state of New York, licensed lenders, private bankers, savings and loans associations, mortgage companies, insurance companies, and other financial service providers.
The initial phase of the New York State Cybersecurity Requirements for Financial Services Companies took effect on March 1, 2017. However, the entirety of the requirements was only enforced two years later, by March 1, 2019.
Under NY Banking Law, the NYDFS penalties start at $2,500 a day for each day of noncompliance with NYDFS Part 500. If noncompliance is determined to be a “pattern” by the NYDFS superintendent, the fine may increase to $15,000 a day. If the superintendent decides that any violations have been committed “knowingly and willfully,” the fine will jump to $75,000 daily.
Recent 2022 enforcement actions imposed monetary penalties in the $4.5 million to $5million range.
How Thales Helps with NYDFS Compliance
Thales’ solutions can help Financial Institutions and third-party ICT providers comply with DORA by simplifying compliance and automating security reducing the burden on security and compliance teams. We help address essential cybersecurity risk-management requirements under articles 8, 9, 10, 11, 19 and 28 of the regulation, covering ICT Risk Management and Governance, Incident Reporting, and ICT Third Party Risk Management.
We provide comprehensive cyber security solutions in three key areas of cybersecurity: Application Security, Data Security, and Identity & Access Management.
NYDFS Compliance Solutions
Application Security
Protect applications and APIs at scale in the cloud, on-premises, or in a hybrid model. Our market leading product suite includes Web Application Firewall (WAF), protection against Distributed Denial of Service (DDoS) and malicious BOT attacks, security for APIs, a secure Content Delivery Network (CDN), and Runtime Application Self-Protection (RASP).
Data Security
Discover and classify sensitive data across hybrid IT and automatically protect it anywhere, whether at rest, in motion, or in use, using encryption tokenization and key management. Thales solutions also identify, evaluate, and prioritize potential risks for accurate risk assessment as well as identify anomalous behavior, and monitor activity to verify compliance, allowing organizations to prioritize where to spend their efforts.
Identity & Access Management
Provide seamless, secure and trusted access to applications and digital services for customers, employees and partners. Our solutions limit the access of internal and external users based on their roles and context with granular access policies and Multi-Factor Authentication that help ensure that the right user is granted access to the right resource at the right time.
Address Key NYDFS Requirements
How Thales helps:
- Detect and prevent cyber threats with web application firewall.
- Monitor ICT network and protect from DDoS attacks and Bad Bots.
- Monitor API activity, track usage, detect anomalies, and identify potential unauthorized access attempts.
- Data activity monitoring for structured and unstructured data on Hybrid IT.
- Produce audit trail and reports of all access events to all systems, stream logs to SIEM.
Solutions:
Application Security
Data Security
How Thales helps:
- Limit access to systems and data based on roles and context with policies.
- Apply contextual security measures based on risk scoring.
- Centralize access policies and enforcement to multiple hybrid environments in a single pane of glass.
- Leverage smart cards for implementing physical access to sensitive facilities.
- Provide customers secure access to their information in company’s systems.
Solutions:
Identity & Access Management
Data Security
How Thales helps:
- Protect apps from runtime exploitation, while integrating with tools in the CI/CD pipeline.
- Detect and prevent cyber threats with web application firewall, ensuring seamless operations and peace of mind.
- Safeguard critical network assets from DDoS attacks and Bad Bots while continuing to allow legitimate traffic.
- Deploy data protection controls in hybrid and multi-cloud applications to protect DevSecOps.
- Protect and automate access to secrets across DevOps tools.
- Easily access data security solutions through online marketplaces.
Solutions:
Application Security
Data Security
How Thales helps:
- Discover and classify potential risk for all public, private and shadow APIs.
- Identify structured and unstructured sensitive data at risk across Hybrid IT.
- Identify current state of compliance and documenting gaps.
How Thales helps:
- Reduce third party risk by maintaining on-premises control over encryption keys protecting data hosted by in the cloud.
- Ensure complete separation of roles between cloud provider admins and your organization, restrict access to sensitive data.
- Monitor and alert anomalies to detect and prevent unwanted activities from disrupting supply chain activities.
- Enable relationship management with suppliers, partners or any third-party user; with clear delegation of access rights.
- Minimize privileges by using relationship-based fine-grained authorization.
Solutions:
Data Security
Identity & Access Management
How Thales helps:
- Enable multi-factor authentication (MFA) with the broadest range of hardware and software methods.
- Build and deploy adaptive authentication policies based on the sensitivity of the data/application.
- Protect against phishing and man-in-the-middle attacks.
Solutions:
Identity & Access Management
How Thales helps:
- Locate structured and unstructured regulated data across hybrid IT and prioritize remediation.
- Remove keys from CipherTrust Manager can ensure secure deletion, digitally shredding all instances of the data.
How Thales helps:
- Data activity monitoring for structured and unstructured data across cloud and on-prem systems.
- Produce audit trail and reports of all access events to all systems, stream logs to external SIEM systems.
Solutions:
Data Security
Identity & Access Management
How Thales helps:
- Encrypt data at rest on-premises, across clouds, and in big data or container environments.
- Protect cryptographic keys in a FIPS 140-2 Level 3 environment.
- Pseudonymize sensitive information in databases.
- Protect data in motion with high-speed encryption.
- Protect data in use by leveraging confidential computing.
- Gain full sensitive data activity visibility, track who has access, audit what they are doing and document.
- Security products designed for post-quantum upgrade to maintain crypto-agility.
Solutions:
Identity & Access Management
Related resources
Other key data protection and security regulations
PCI HSM
MANDATE | ACTIVE NOW
The PCI HSM specification defines a set of logical and physical security compliance standards for HSMs specifically for the payments industry. PCI HSM Compliance certification depends on meeting those standards.
DORA
REGULATION | ACTIVE NOW
DORA aims to strengthen the IT security of financial entities to make sure the financial sector in Europe is resilient in the face of the growing volume and severity of cyber-attacks.
Data Breach Notification Laws
REGULATION | ACTIVE NOW
Data breach notification requirements following loss of personal information have been enacted by nations around the globe. They vary by jurisdiction but almost universally include a “safe harbor” clause.
GLBA
REGULATION | ACTIVE NOW
The Gramm-Leach-Bliley Act (GLBA)--also known as the Financial Services Modernization Act of 1999--requires financial institutions to explain their information-sharing practices to their customers and to safeguard sensitive data.