Added Reason to Be Aware of the New York State Department of Financial Services Cybersecurity Regulations

All businesses operating in New York under a license, registration, charter, certificate, permit or similar authorization under the Banking Law, the Insurance Law, or the Financial Services Law must comply with the DFS Regulations. A full list of businesses supervised by DFS can be found here

The SHIELD Act does not mandate specific safeguards, but it provides several examples of practices that are considered reasonable administrative, technical, and physical safeguards. These examples suggest the kinds of safeguards businesses should be adopting, but they are not the only safeguards companies should be adopting.

Administrative Safeguards

  • Designate individual(s) responsible for security programs;

  • Conduct a risk assessment process one that identifies reasonably foreseeable internal and external risks and assesses the sufficiency of safeguards in place to control those risks;

  • Train and manage employees in security program practices and procedures;

  • Select capable service providers and require safeguards by contract; and

  • Adjust program(s) in light of business changes or new circumstances.

Physical Safeguards

  • Assess the risks of information storage and disposal;

  • Detect, prevent, and respond to intrusions;

  • Protect against unauthorized access/use of private information during or after collection, transportation, and destruction/disposal; and

  • Dispose of private information within a reasonable amount of time after it is no longer needed for business purposes.

Technical Safeguards

  • Assess risks in network and software design;

  • Assess risks in information processing, transmission, and storage;

  • Detect, prevent, and respond to attacks or system failures; and

  • Regularly test and monitor the effectiveness of key controls, systems, and procedures.

In addition to the safeguards in the new law, organizations should consider others, such as:

  • Developing access management plans;

  • Maintaining written policies and procedures;

  • Applying sanctions to individuals who violate the organization’s data privacy and security policies and procedures;

  • Implementing facility security plans;

  • Maintaining and practicing disaster recovery and business continuity plans;

  • Tracking inventory of equipment and devices;

  • Deploying encryption and data loss prevention tools;

  • Develop and practice an incident response program;

  • Regularly updating antivirus and malware protection;

  • Utilizing two-factor authentication; and

  • Maintaining and implementing record retention and destruction policy. MORE

Advisor Armor