Skip to content

Licensing

The NYDFS Cybersecurity Approach Marks a Radical Shift for Financial Institutions

Guest Writer: Kim Phan and Roshni Patel with Ballard Spahr The New York Department of Financial Services ("NYDFS") has issued new cybersecurity regulations that went into effect on March 1, 2017. New York Governor Andrew Cuomo described the new regulations as the "first-in-the-nation" to require cybersecurity protections for New York consumers from the ever-growing threat

← All articles
Filed under Licensing

Guest Writer: Kim Phan and Roshni Patel with Ballard Spahr

The New York Department of Financial Services (NYDFS) issued new cybersecurity regulations that took effect on March 1, 2017. Governor Andrew Cuomo called them the "first-in-the-nation" rules to require cybersecurity protections for New York consumers against the growing threat of cyberattacks.

Many companies still ask how far the rules reach outside New York. They also ask whether the NYDFS approach will become the de facto national standard while the federal level stays quiet.

The rules define covered entities broadly. The term includes any individual or non-governmental entity that operates under a license, registration, charter, certificate, permit, accreditation, or similar authorization under New York banking, insurance, or financial services laws.

NYDFS expects covered entities to put specific technical measures in place. Those measures include hiring a Chief Information Security Officer (CISO), using multi-factor authentication, encrypting data, and running penetration testing. Covered entities must also report cybersecurity incidents to NYDFS within 72 hours.

This is a sharp break from the federal approach, which is generally risk-based. Early drafts of the NYDFS rules were even more prescriptive. After heavy criticism from the industry, the final rules let institutions tailor parts of their program to their own risk assessment.

Financial institutions need to move quickly toward the compliance deadlines. Covered entities should treat this as a board-level matter. Someone from the board or senior management must sign an annual certification confirming compliance. The first certification was due no later than February 15, 2018.

NYDFS urged every regulated institution that had not yet done so to adopt a cybersecurity program that meets the minimum standards in the rules.

Attorneys in Ballard Spahr's Consumer Financial Services and Privacy and Data Security groups advise on state and federal privacy and data security laws across the consumer financial services industry. They regularly help clients build and strengthen risk-based information security programs, including risk assessments and incident response plans.

Found This Useful? Let's Get You Set Up.

Start an application and an expert will tailor the next steps to your situation.

Related reading

Maryland Rent Collection in 2026: 7 Licensing Risks Property Managers Must Avoid

Licensing

Maryland Rent Collection in 2026: 7 Licensing Risks Property Managers Must Avoid

Property managers in Maryland are running into a question that is getting more attention and creating real operational risk. Does collecting rent, especially when a tenant is past due, trigger Maryland's collection agency licensing requirements?

Licensing Challenges for Mortgage Servicers

Licensing

Licensing Challenges for Mortgage Servicers

Mortgage servicers play a central role in the housing finance system. They collect borrower payments, manage escrow accounts, respond to customer inquiries, and step in with loss mitigation or foreclosure processes when borrowers fall behind. Servicers act as the day-to-day managers of loans after origination, ensuring that cash flows properly between borrowers and investors. Since [...]

The Pros and Cons of Outsourcing Debt Collection for Startups and Small Businesses

Licensing

The Pros and Cons of Outsourcing Debt Collection for Startups and Small Businesses

Cash flow is the lifeblood of every startup. When customers delay or default on payments, even the most innovative ideas can stall. Founders often face a critical challenge: Should we collect overdue invoices ourselves, or hand them off to a third-party debt collection agency? Outsourcing debt collection - sometimes called debt recovery outsourcing - has become increasingly common for [...]

The One Coverage You Probably Don't Have, But Need

Insurance

The One Coverage You Probably Don't Have, But Need

You have taken steps to protect your agency against consumer lawsuits, but what about the potential threat from within your organization? The number of lawsuits against employers for hiring and firing decisions, or even discrimination, continues to rise. No company is immune to these types of lawsuits, and the inevitable turnover on your collection [...]

Student Loan Servicer Licensing Laws (What You Should Know)

Licensing

Student Loan Servicer Licensing Laws (What You Should Know)

State-Level Student Loan Servicers Licensing Requirements are on the Rise Over the last 18 months, state-level licensing requirements for student loan servicers have become increasingly in vogue, particularly in blue states with progressive legislatures, governors, and attorneys general. This attempt to intercede in a field already dominated by the federal government (the largest lender, guarantor, [...]

Are You Thinking Differently About Who Can Be Your Client?

Licensing

Are You Thinking Differently About Who Can Be Your Client?

Are You Thinking Differently About Who Can Be Your Client? I know that many collection agencies are scrambling to keep up with the changing state rules and client decisions about who is considered essential, whether agents can work remotely, and whether/under what circumstances you can engage in proactive outbound collection efforts. I have heard from [...]

Browse the full insights library, meet our editorial team, or download our whitepapers.

Insights

Found This Useful? Let's Get You Set Up.

An expert will respond within one business day.