Making the real estate industry more efficient


The NYDFS Approach To Cybersecurity


On March 1st, the New York Department of Financial Services’ (NYDFS) “Cybersecurity Requirements for Financial Service Companies” regulation went live. Considered to be the first of its kind, this new regulation requires banks, insurers and other financial service providers that fall under the jurisdiction of the NYDFS to meet minimum cybersecurity requirements designed “to protect consumers and ensure that its systems are sufficiently constructed to prevent cyberattacks…” While this regulation is not applicable to most of us, it is worth reviewing for two reasons 1.) it is likely indicative of what other state regulatory authorities and governments may enact and 2.) for those that do not have strong cybersecurity practices in place it does provide some guidance with respect to minimum requirements.

One of the more interesting features of this regulation is its expanded definition of “personal information”. For those of us in the industry, we are familiar with “Personal Information” being classified as the non-public private information defined in the Gramm-Leach-Bliley Act and under HIPAA’s Privacy Rule. And while this regulation does include those definitions of “Personal Information”, it adds to the definition confidential business information, which all businesses already protect, and “any information that can be used to distinguish or trace an individual’s identity…”. This latter definition greatly expands the range of data that must be protected. Protecting direct information, such as names and SS#s, is no longer enough, now indirect information, such as address, education, etc., that could be used to link data to an individual must also be protected.

When it comes to specific requirements and their implementation, the NYDFS has taken a novel approach. First, requirements are divided into 16 sections and implementation is tiered ranging from 180 days to two years for those requirements that take longer to implement. Second, the determination of which requirements are in fact required is based on a Risk Assessment conducted by each entity. As such this is not a one-size-fits-all approach. The first implementation tier runs March 1st through August 1st, by which time entities covered under this regulation must have implemented the first 7 of the 16 sections, including:

  • A written Cybersecurity Policy & Incident Response Plan must be developed and maintained.
  • A qualified employee of third party must be designated to oversee and implement cybersecurity programs and enforcement.
  • Cybersecurity personnel and third party service providers must receive continuous training to maintain the knowledge to effectively manage changing cybersecurity threats and countermeasures.
  • Entities must identify user access privileges to systems and data, determine access needs and limit privileges as applicable.

With cybersecurity playing an increasingly important role in the long-term success of each of our businesses, monitoring the implementation of regulations such as this, even if it is not directly applicable, is worth the effort. For in an environment such as cybersecurity where the threat is constantly changing, the more techniques we can employ, whether from the NYDFS, ALTA, MBA, FTC or the CFPB, the more successful we will be in protecting our customer’s data.

  • Categories
  • Archives
    Related Links