The Cybersecurity Requirements for Financial Services, issued by the New York State Department of Financial Services (NYDFS), are now in full effect. The rules were first introduced in September 2016 and revised in January 2017, becoming effective on March 1, 2017. Section 500.22 of the rules (text can be found here) laid out a two-year long transition period, which ended on March 1, 2019.

The transition period contained three main checkpoints with certain requirements:

  1. By March 1, 2018 (one year after effective date): Have systems in place for annual penetration testing, bi-annual vulnerability assessments, periodic risk assessments, and annual written reports by Chief Information Security Officer to the governing body of the covered entity (e.g., board of directors).
  2. By September 1, 2018 (eighteen months after the effective date): Establish audit trails, in-house application development policies and procedures, limitations on data retention, and encryption of nonpublic information.
  3. By March 1, 2019 (two years after the effective date): Establish third party service provider security policies that include risk assessments and setting minimum cybersecurity standards for third party vendors.

insideARM Perspective

Consumer data in financial services has been a hot button issue for several years now, with the focus centered on external threats to and internal use of the data.

Several years ago when the NYDFS cybersecurity rules came out, the focus was on protecting data from external threats, such as cybersecurity attacks and data breaches, to electronically-stored consumer data. The Equifax data breach of 2017 doubled-down on the importance of cybersecurity.


Over the past year or so, an added area of focus has been data privacy. While cybersecurity focuses on protection from external threats, privacy focuses on internal policies and procedures related to sharing or selling consumer data. Laws such as the California Consumer Protection Act and Washington Consumer Protection Act give consumers power to control how companies use and share their data.

Cybersecurity and privacy in financial services are two distinct issues that require different approaches, but both share the common thread of consumer data. And, if the recent legislative and regulatory trends are any indication, consumer data is king in the modern world.

Next Article: CFPB Seeks Applications from Experts in Debt ...