Financial Crime World

NYDFS Cracks Down on Financial Institutions’ Data Protection

The New York Department of Financial Services (NYDFS) has issued new regulations requiring financial institutions to assess their specific risk profile and design a robust program to address those risks in an effort to protect customer data from cyber attacks.

Protecting Customer Data

In addition to existing regulations such as the General Data Protection Regulation (GDPR), California Consumer Privacy Act (CCPA), and Payment Card Industry Data Security Standard (PCI DSS), financial institutions are now required to:

  • File an annual certification detailing their compliance efforts
  • Implement a robust program to address specific risks

Under the CCPA, California consumers have several rights regarding their personal information, including: + The right to know what data is being collected + The right to delete that data + The right to opt-out of its sale

The GDPR provides individuals with greater protection and rights regarding their data.

Encryption and Firewall Protection

Financial institutions are required to implement encryption to protect cardholder data and personally identifiable information (PII). PCI DSS prohibits the storage of full magnetic stripe or chip track data, and any PII should be protected with encryption in both storage and transit over public or private networks. Additionally:

  • Firewalls must be installed and maintained under PCI DSS guidelines
    • Change default passwords
    • Restrict payment system access
    • Deny unauthorized traffic

Intrusion Detection and Logging

Financial institutions should use an intrusion detection system (IDS) to detect and prevent intrusions into the network. The IDS works in conjunction with a firewall to prevent attacks and monitor network traffic for signs of malicious intent.

Logs must also be kept and reviewed under GLBA, including guidelines for: + Identifying specific log sources + Analyzing them for potentially threatening network activity

Vendor Management

Financial institutions that engage third-party vendors must conduct robust due diligence when onboarding those vendors and perform ongoing monitoring of the relationship. This is crucial because cybercriminals often exploit weak security in third-party vendors to gain access to larger entities they serve.

Centralizing Compliance Management

In an effort to streamline compliance management, many financial institutions are turning to third-party security operations centers (SOCs) that employ teams of security experts. These SOCs provide a comprehensive platform for: + Centralizing compliance management + Optimizing threat detection and response

For more information on how to enhance your organization’s cybersecurity posture, download the Financial Industry Cybersecurity Checklist.

Note: The original text has some formatting issues, so I made some minor adjustments to make it conform to Markdown syntax.