New York’s Tough Cyber Regs on MFA, Encryption for FinServ

New York Department of Financial Services’ (NYDFS) regulations governing how financial services enterprises protect data are about to take effect, and the regulations are far-reaching for those required to comply.

Among the host of requirements are directives for financial services enterprises to encrypt data in transit and use multifactor authentication for banking when handling privileged data, which they term “non-public.”

Other provisions read like a How To on security policy and maintenance.

Covered entities must maintain a cybersecurity program, implement and maintain an official written policy setting forth the policy, identify or contract a CISO or equivalent to oversee the policy, conduct penetration testing and vulnerability assessments, maintain systems that disclose operational and financial audit trails, and limit user access non-public information.

There are also provisions on employee training and data breach disclosure, which is a hot topic as evidenced by the Yahoo! data breach scrutiny.

The regulations take effect March 1, 2017 and covered entities have just 180 days to achieve at least partial compliance with the full array of regulations. Covered entities will be required to prepare and submit compliance certifications annually beginning February 16, 2018.

The regulations govern all but the smallest financial enterprises as measured by employees, gross annual revenue, or total year-end assets as well as entities already covered.