The Industry’s Only SaaS-Delivered Enterprise DLP

Our unique approach to DLP allows for quick deployment and on-demand scalability, while providing full data visibility and no-compromise protection.

No-Compromise Data Protection is:

  • Cloud-Delivered
  • Cross Platform
  • Flexible Controls
DATAINSIDER

Digital Guardian's Blog

NYDFS Clarifies Portions of Cybersecurity Regulation in Update

by Chris Brook on Thursday September 23, 2021

Contact Us
Free Demo
Chat

The New York Department of Financial Services has updated its guidance on incidents affecting third party services and multi-factor authentication.

The rise in cyberattacks in the wake of the COVID-19 pandemic has been well documented. The financial industry, which still has many companies working from home for the foreseeable future, certainly isn't immune.

These changing times have kept regulators like the Securities and Exchange Commission’s (SEC) Cyber Unit and New York Department of Financial Services’ (NYDFS) Cybersecurity Division on their toes, investigating, responding to incidents and carrying out enforcement actions.

To clarify some particulars in its Cybersecurity Regulation, 23 NYCRR Part 500, the NYDFS recently updated some frequent asked questions (FAQ) of the law.

For the uninformed, if an entity is regulated or licensed by the New York State Department of Financial Services, it must comply with NYDFS’ Cybersecurity Regulation; the regulation requires financial services companies to implement and follow a cybersecurity plan, one that can safeguard sensitive customer data and mitigate risk through data protection, encryption, and access controls, among other solutions.

One of the questions NYDFS clarified regarded breaches at third party service providers. In the event of an incident at a third party, even if the third party notifies the NYDFS of the incident, if your organization is affected by it, then yes, you still have to inform the department.

"Reporting Cybersecurity Events to the Department is not only an important obligation of all Covered Entities, but also enables the Department to more rapidly identify techniques used by attackers so that DFS can alert industry, respond quickly to new threats, and continue to effectively protect consumers and the financial services industry," the NYDFS wrote.

The second question pertains to the use of multi-factor authentication. Specifically if a company uses cloud-based email, document hosting and similar services as part of their internal networks, do they have to comply with part 23 NYCRR § 500.12 (b) of the Cybersecurity Regulation?

23 NYCRR § 500.12 (b) requires companies to use MFA for any individual accessing the covered entity’s internal networks from an external network, unless the covered entity’s CISO has approved in writing the use of reasonably equivalent or more secure access controls.

As is to be expected, yes, according to the NYDFS, MFA is still required, even if your organization is using cloud-based services, like Microsoft Office 365 and Google's G-Suite.

"These services contain Nonpublic Information that Covered Entities are required to protect,” NYDFS said in a recent update.

The clarifications come on the heels of the department issuing new guidance on how financial services firms should mitigate ransomware attacks.

The department’s instructions included implementing employee training around phishing attacks, use of multifactor authentication, and having a way to monitor their systems for intruders, like an endpoint detection and response solution.

Tags: Industry Insights, Financial Services

Recommended Resources


  • Why Data Classification is Foundational
  • How to Classify Your Data
  • Selling Data Classification to the Business
  • How to simplify the classification process
  • Why classification is important to your firm's security
  • How automation can expedite data classification

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.