Warning to Comply – NYDFS Requirements Announced  

April 15^th, 2024, marks a significant date for Financial Services based in New York.

This is because financial services companies must certify that they have met the newly amended New York State Department of Finance Services (NYDFS) cyber regulation by this date. The amended cyber requirements will significantly impact the compliance of businesses and potentially alter and streamline companies’ existing approaches to cyber security going into the second half of 2024.

What Does This Mean? And What Requirements Are Needed to Meet the Amended NYDFS Standards? 

Compliance and governance are the two key focuses of the NYSDFS. To do this, there will be a keen focus on:

• Enhanced Risk Assessments
• Password and Data Management
• Net-New Requirements for Asset Inventory
• Enhanced Disaster Recovery Plans  
• Independent Audits

What this means for CEOs and CISOs is that all compliance must now be documented and certified. The CEO, or personnel of highest authority, must now sign off on compliance, based on data and documentation, and on their reliance on any 3rd party vendors. If a company cannot provide this data, it must deliver a written statement, and start a remediation process to obtain the correct compliance.

According to the DFS website, ‘The amended regulation’s new compliance requirements will take effect in phases. Unless otherwise specified, covered entities have 180 days from date of adoption to come into compliance, or until April 29, 2024. Changes to reporting requirements take effect one month after publication of the amended regulation, or December 1, 2023. For certain other requirements, the regulation provides for up to one year, 18 months, or two years to come into compliance.’

View the Cybersecurity Implementation Timelines outlining key compliances dates for each of the categories of businesses impacted by the amended regulation: here.

How Will this Impact Cyber Security for US Based Business?

Based in New York, Alan Cizenski, Pre-Sales Engineer for SecurityHQ commented on the regulation implementation; ‘I think one of the biggest impacts from the amended NYDFS cybersecurity regulation will be increased executive visibility and sign off of cyber programs. This is because the highest-ranking executive is now required to sign off on compliance, with data and documentation to back it up. This new level of executive engagement will bring more attention and scrutiny to cybersecurity. It will become even more important for financial organizations to have trusted partners like SecurityHQ to ensure they are compliant and secure.’

How Can SecurityHQ Support US-Based Financial Services Throughout These Changes?

‘SecurityHQ is purpose-built to help financial services/companies with many of the requirements under the amended NYDFS cybersecurity regulation. Partnership and trust are the driving principles of SecurityHQ’s relationship to customers.’ – Cizenski

Some of the specific areas that SecurityHQ are helping companies successfully navigate the changes are by providing:

• Fully managed Endpoint Detection & Response to monitor anomalous activity.
• Fully managed SOC to centralize logging and alerting across disparate systems.
• Cybersecurity incident notification and continuous improvement of incident response.
• Ensuring compliance is met and can be sufficiently documented for executive certification.
• Assessing risk today and prioritizing areas that require immediate mitigation.

For more information, to speak with a member of our New York office, speak to an expert here. Or if you suspect a security incident, you can report an incident here.