• Blog
  • Strengthening Cybersecurity in Financial Services: The NYDFS Regulation and IT Asset Management

Cybersecurity is paramount in today’s digital world, and the financial services sector is no exception. Recognizing this, the New York Department of Financial Services (NYDFS) enacted the NYDFS Cybersecurity Regulation in 2017 to safeguard sensitive data and IT systems.

Understanding the NYDFS Cybersecurity Regulation

This regulation establishes requirements for financial institutions under NYDFS jurisdiction. Here’s a breakdown of the covered entities:

Banks: This includes chartered banks, trust companies, and branches of foreign banks licensed by the NYDFS.

Insurance Companies: All insurance companies, including property and casualty insurers, life insurers, and health insurers, doing business in New York are covered.

Other Licensed Financial Institutions: Institutions like money transmitters, mortgage bankers and servicers, investment advisors, and entities licensed to engage in virtual currency business activities under NYDFS oversight also fall under the regulation.

The regulation mandates a comprehensive cybersecurity program addressing key areas:

Governance and Risk Assessment: Institutions must identify cyber risks through regular assessments, appoint a Chief Information Security Officer (CISO), and develop written cybersecurity policies that address risk management and staff training.

Access Controls and Identity Management: Robust access controls are required, including multi-factor authentication and least privilege principles. User activity monitoring must be implemented to detect suspicious behavior.

Data Protection and Encryption: Non-public information must be encrypted at rest and in transit, with data retention policies in place to dispose of old data securely.

Monitoring and Incident Response: Covered entities must establish and test incident response plans that outline procedures for identifying, containing, eradicating, and recovering from cybersecurity events. They must also implement systems to monitor their IT systems for suspicious activity.

Third-Party Risk Management: Institutions must assess and mitigate cybersecurity risks posed by third-party service providers they rely on. This may involve conducting security audits of the third party.

Reporting and Compliance: Covered entities submit annual certifications of compliance to the NYDFS attesting to their adherence to the regulation’s requirements. They must also report cybersecurity incidents to the NYDFS in a timely manner.

Evolving Requirements

The regulation was revised in 2023 (Second Amendment) to address evolving cyber threats. The Amendment emphasizes:

  • Reporting of cybersecurity incidents occurring at the covered entity, its affiliates, or third-party service providers.
  • Electronic reporting of required information via the NYDFS website.
  • Providing requested incident information to the NYDFS Superintendent in a specific format.

NYDFS Cybersecurity Regulation Timeline

  • March 1, 2017: The NYDFS Cybersecurity Regulation is enacted.
  • August 28, 2017: Initial compliance deadlines take effect, requiring covered entities to implement a cybersecurity program and conduct their first risk assessment.
  • February 15, 2018: Covered entities submit their first Certification of Compliance.
  • March 1, 2018: Deadlines for covered entities to implement specific security measures, such as multi-factor authentication and data encryption for data at rest.
  • September 4, 2018: Deadlines for covered entities to implement additional security measures, such as encryption for data in transit.
  • March 1, 2019: Deadlines for covered entities to implement further security measures.
  • November 1, 2023: The Second Amendment is issued.

Financial Institutions’ Role

The NYDFS Cybersecurity Regulation requires financial institutions to take proactive measures to safeguard their data and systems. Here are some key responsibilities:

Implement and Maintain a Cybersecurity Program: This program should consist of written policies and procedures that address risk management, data security, access controls, incident response, and employee training. The program should be reviewed and updated regularly.

Conduct Regular Risk Assessments: Regular assessments are crucial for identifying vulnerabilities in IT systems and the broader environment. This helps institutions prioritize security measures and ensure their cybersecurity program is effective.

Maintain an Accurate IT Asset Inventory: A comprehensive inventory of all IT assets (hardware, software, cloud resources) is essential. This allows institutions to track assets throughout their lifecycle, identify potential vulnerabilities, and ensure proper security measures are applied.

IT Asset Management (ITAM) for NYDFS Compliance

IT Asset Management (ITAM) solutions can be a valuable tool for financial institutions to achieve compliance with the NYDFS Cybersecurity Regulation. Here’s how ITAM helps:

Comprehensive Asset Inventory: ITAM platforms provide a centralized view of all IT assets, enabling a more thorough risk assessment and facilitating accurate reporting to the NYDFS.

Access Controls and Monitoring: ITAM integrates with identity and access management systems to enforce granular access controls. This ensures only authorized users have access to specific systems and data, and that user activity is monitored for suspicious behavior.

Patch Management: ITAM can automate the process of identifying, prioritizing, and deploying software patches, which helps to address vulnerabilities and minimize security risks.

Software License Compliance: ITAM tools track and manage software licenses, ensuring compliance with licensing terms and optimizing software investments. This can be crucial to avoid potential security risks associated with unauthorized software.

Incident Response: ITAM can facilitate root cause analysis during a cybersecurity incident and support efforts to restore normal operations. By having a clear understanding of the IT asset landscape, institutions can respond more effectively to security breaches.

By implementing ITAM solutions and aligning them with their overall cybersecurity strategy, financial institutions can streamline compliance efforts, enhance their cybersecurity posture, and better protect sensitive data and critical IT systems.

Conclusion

The NYDFS Cybersecurity Regulation plays a vital role in safeguarding the financial services industry. By understanding the requirements and leveraging IT Asset Management (ITAM) solutions, financial institutions can achieve compliance and strengthen their cybersecurity defenses against evolving threats.

Ready to take your cybersecurity posture to the next level? Teqtivity is a leading provider of IT asset management solutions. Our team of experts can help you implement a comprehensive ITAM strategy that aligns with the NYDFS Cybersecurity Regulation and strengthens your overall security posture.

Contact Teqtivity today to learn more about how we can help your organization achieve compliance and protect your valuable data.