< Back to Blog
NYDFS Cybersecurity Regulation Deadline Looming
Standards & Regulations

NYDFS Cybersecurity Regulation Deadline Looming

By Dov Goldman Feb 14, 20192 min read

The two-year implementation period for the New York Department of Financial Services (NYDFS) cybersecurity regulation, 23 NYCRR 500, will be over on March 1. This means that the final requirement involving entities that use third-party providers will soon become effective.

What do companies need to know about the NYDFS regulation and deadline? Read on for some key guidelines.

What is NYDFS?

The NYDFS regulation requires all DFS regulated entities to adopt the core requirements of a cybersecurity program. This includes:

  • A cybersecurity policy
  • Effective access privileges
  • Cybersecurity risk assessment
  • Training and monitoring for all authorized users
  • The establishment of governance processes

The final phase of implementation requires regulated entities that use third-party service providers—including banks, insurance, mortgage companies and other financial services institutions—to implement third-party risk management programs. This is the last remaining requirement that will become effective on March 1.

What does NYDFS require from companies working with third parties?

According to the regulation, each covered entity must implement written policies and procedures regarding data held by third-party service providers, including:

  • The identification and risk assessment of third-party service providers
  • A minimum standard to be met by third-party service providers in order to do business with the covered entity
  • Due diligence processes used to evaluate the adequacy of third-party cybersecurity practices
  • Periodic risk assessment of third parties

The policies and procedures must include guidelines relating to third parties, addressing:

  • Use of multi-factor authentication (MFA)
  • Use of encryption
  • Notice provided to the covered party in the event of a breach
  • Representations and warranties about third-party procedures relating to the security of an entity’s data

How can companies comply with the NYDFS cybersecurity regulation?

Covered entities will need to work with a solution that can provide the following:

Scalability: Financial institutions will need to evaluate all of their third parties and hold each one to a minimum security standard. To comply by the deadline, they will need to ensure that their process can easily, quickly and accurately manage the evaluation of third parties, regardless of the number.

Visibility: To properly assess risk, financial institutions will not only need to have visibility into their third parties, but also have context around the business and technology relationship between themselves and their third parties.

Want to learn more about how Panorays can help you comply with NYDFS? Contact us today for more information.

Dov Goldman

Dov Goldman is Director of Risk & Compliance at Panorays. He’s a serial entrepreneur who’s been involved with third-party programs of all sizes, and is the go-to person for explaining the difference between inherent and residual risk.

You may also like...
The Impact of EBA Guidelines on Third-Party Risk Management
Aug 12, 2021 The Impact of EBA Guidelines on Third-Party Risk Management Dov Goldman
Securing Your Suppliers: Complying With Regulations
Oct 22, 2020 Securing Your Suppliers: Complying With Regulations Dov Goldman
7 Facts You Should Know About NYDFS
Sep 07, 2020 7 Facts You Should Know About NYDFS Dov Goldman
We use cookies to ensure you get the best experience on our website. Visit our Cookie Policy for more information.
Get our latest posts straight to your inbox Subscribe