* [Blog](https://www.paloaltonetworks.com/blog)
* [Palo Alto Networks](https://www.paloaltonetworks.com/blog/corporate/)
* [Financial Services](https://www.paloaltonetworks.com/blog/category/financial-services/)
* Understanding New York St...

# Understanding New York State's Cybersecurity Compliance for Financial Institutions

[](https://www.facebook.com/sharer/sharer.php?u=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2F2017%2F03%2Funderstanding-new-york-states-cybersecurity-compliance-financial-institutions%2F)  
[](https://twitter.com/share?text=Understanding+New+York+State%E2%80%99s+Cybersecurity+Compliance+for+Financial+Institutions&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2F2017%2F03%2Funderstanding-new-york-states-cybersecurity-compliance-financial-institutions%2F)  
[](https://www.linkedin.com/shareArticle?mini=true&url=https%3A%2F%2Fwww.paloaltonetworks.com%2Fblog%2F2017%2F03%2Funderstanding-new-york-states-cybersecurity-compliance-financial-institutions%2F&title=Understanding+New+York+State%E2%80%99s+Cybersecurity+Compliance+for+Financial+Institutions&summary=&source=)  
[](https://www.paloaltonetworks.com//www.reddit.com/submit?url=https://www.paloaltonetworks.com/blog/2017/03/understanding-new-york-states-cybersecurity-compliance-financial-institutions/&ts=markdown)  
\[\](mailto:?subject=Understanding New York State’s Cybersecurity Compliance for Financial Institutions)  
Link copied  
By [Lawrence Chin](https://www.paloaltonetworks.com/blog/author/lawrence-chin/?ts=markdown "Posts by Lawrence Chin")  
Mar 01, 2017  
4 minutes  
[Financial Services](https://www.paloaltonetworks.com/blog/category/financial-services/?ts=markdown)  
[Financial Services](https://www.paloaltonetworks.com/blog/tag/financial-services/?ts=markdown)  
[New York State Department of Financial Services](https://www.paloaltonetworks.com/blog/tag/new-york-state-department-of-financial-services/?ts=markdown)

*The New York State Department of Financial Services (DFS) cybersecurity regulations go into effect today. In this blog post, I'll share what these regulations mean and the biggest changes that financial services companies can expect over the next several months.*

As a recap, in late December 2016, the DFS published its revised proposal for cybersecurity regulations. The proposal explicitly calls out the need for and the responsibilities of a Chief Information Security Officer (CISO) function. The occupant of this role must be a qualified individual responsible for overseeing and implementing the cybersecurity program. Similarly, the regulation calls for the use of qualified cybersecurity personnel with current knowledge and ongoing training in that discipline. Although the qualifications of these individuals are not explicitly defined, the implication is that they are and must remain well-versed in cybersecurity.

The DFS also puts explicit demands on the senior officers or board of directors to ensure their active participation in the cybersecurity program. This includes approval of the cybersecurity policy, review of an annual report by the CISO (effective February 15, 2018), and an annual certification of compliance -- signed by an individual. This last piece is reminiscent of the Sarbanes-Oxley Act and opens the door for potential individual liability. Clearly, the intent is for that senior officer and the entire board to take their cybersecurity responsibility seriously.

Compliance dates for various portions of the proposed regulation are staggered over the next 24 months. This was a change from the original proposal and is an acknowledgement of the challenges that covered financial institutions will face in complying with specific provisions of the regulation. Here's a look at a few of these just to provide a flavor for the difficulties to achieve compliance.

**At the 12-month stage**, covered entities will need to have multi-factor or risk-based authentication in place for access to nonpublic information -- even internally. Many financial institutions use multi-factor authentication (MFA) for remote access to their corporate networks, but few have adopted it for access to internal resources as there are additional complexities and costs involved. Moreover, for legacy applications or systems that do not support MFA natively, a compensating control will be needed to protect the nonpublic information there.

**At 18 months**, encryption of nonpublic information both in transit and at rest will be required. Where this is infeasible, CISO-approved compensating controls are acceptable, but they must be reviewed annually. Financial institutions typically encrypt the data on laptops as those are prone to loss or theft. However, encryption of data at rest on servers or in databases may not be common practice, except where payment cardholder information is involved. This will have to be expanded to include any nonpublic information. Data, in transit, should ideally be encrypted by the application. Consequently, this may require changes to a large number of commercial and internally developed applications. However, some older applications may be unable to encrypt natively. In such cases, encryption could be delegated to the network as an alternate control.

**At the 24-month mark**, financial institutions will need measures in place to ensure the security of nonpublic information that is accessible to or held by third-party service providers. The long lead time for this is necessary, given the quantity of suppliers or partners that may have access to or handle nonpublic information. The initial risk assessment, definition of minimum cybersecurity practices, subsequent contract revisions, etc. with third-party services providers will clearly be time-consuming. Some financial institutions already have enterprise risk management programs in place, which include some degree of vendor risk management. However, even these will need to be broadened to monitor cybersecurity risks at providers that touch nonpublic information.

At the federal level, the themes of active board participation and concern over third-party cybersecurity risks have also been echoed. The Federal Reserve Board, the Office of the Comptroller of the Currency (OCC), and the Federal Deposit Insurance Corporation (FDIC) have issued an advance notice of proposed rulemaking (ANPR) for enhanced cyber risk management. Public comments were due in late January 2017, but as written, the ANPR calls for more active board-level involvement in cybersecurity programs and the extension of enhanced standards to address cyber risk at third-party providers to the financial sector as well.

Financial institutions licensed by the state of New York should develop their plans to address the provisions of the newly effective cybersecurity regulation but keep an eye on the progress of the proposed federal regulations as well, if applicable. In the end, financial institutions may be better served by developing an overarching cybersecurity program that will encompass their risks and ultimately subsume regulatory requirements. Other states may follow New York's lead and conceivably introduce their own cybersecurity regulations as well. As global financial institutions already know, variations in regulations across jurisdictions can be complex to manage in a piecemeal fashion.

*** ** * ** ***

## Related Blogs

### [AI Governance](https://www.paloaltonetworks.com/blog/category/ai-governance/?ts=markdown), [Financial Services](https://www.paloaltonetworks.com/blog/category/financial-services/?ts=markdown), [Public Sector](https://www.paloaltonetworks.com/blog/category/public-sector/?ts=markdown)

[#### From the Hill: The AI-Cybersecurity Imperative in Financial Services](https://www.paloaltonetworks.com/blog/2025/12/ai-cybersecurity-in-financial-services/)

### [AI Governance](https://www.paloaltonetworks.com/blog/category/ai-governance/?ts=markdown), [AI Security](https://www.paloaltonetworks.com/blog/category/ai-security/?ts=markdown)

[#### Banking on AI to Defend the Financial Services Sector](https://www.paloaltonetworks.com/blog/2024/10/banking-on-ai-to-defend-the-financial-services-sector/)

### [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown)

[#### Why Financial Institutions Are Adopting the CRI Profile](https://www.paloaltonetworks.com/blog/2023/12/financial-institutions-are-adopting-the-cri-profile/)

### [News \& Events](https://www.paloaltonetworks.com/blog/sase/category/news-events/?ts=markdown), [News of the Week](https://www.paloaltonetworks.com/blog/category/news-of-the-week/?ts=markdown), [Partner Integrations](https://www.paloaltonetworks.com/blog/sase/category/partner-integrations/?ts=markdown), [Partners](https://www.paloaltonetworks.com/blog/category/partners/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### Zero Trust and SASE: Better Together for Financial Institutions](https://www.paloaltonetworks.com/blog/2022/05/zero-trust-and-sase-for-financial-institutions/)

### [Must-Read Articles](https://www.paloaltonetworks.com/blog/security-operations/category/must-read-articles/?ts=markdown), [Points of View](https://www.paloaltonetworks.com/blog/category/points-of-view/?ts=markdown)

[#### 3 Reasons Cyberattacks Target Financial Services and How to Fight Back](https://www.paloaltonetworks.com/blog/2021/08/financial-services-cyberattacks/)

### [Financial Services](https://www.paloaltonetworks.com/blog/category/financial-services/?ts=markdown), [Firewall](https://www.paloaltonetworks.com/blog/category/firewall/?ts=markdown), [Products and Services](https://www.paloaltonetworks.com/blog/category/products-and-services/?ts=markdown)

[#### PAN-OS 8.1: New Features for the Financial Sector](https://www.paloaltonetworks.com/blog/2018/03/pan-os-8-1-new-features-financial-sector/)

### Subscribe to the Blog!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.
![spinner](https://www.paloaltonetworks.com/blog/wp-content/themes/panwblog2023/dist/images/ajax-loader.gif) Sign up  
Please enter a valid email.  
By submitting this form, you agree to our [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown) and acknowledge our [Privacy Statement](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown). Please look for a confirmation email from us. If you don't receive it in the next 10 minutes, please check your spam folder.  
This site is protected by reCAPTCHA and the Google [Privacy Policy](https://policies.google.com/privacy) and [Terms of Service](https://policies.google.com/terms) apply.  
{#footer} {#footer}

## Products and Services

* [AI-Powered Network Security Platform](https://www.paloaltonetworks.com/network-security?ts=markdown)

* [Secure AI by Design](https://www.paloaltonetworks.com/precision-ai-security/secure-ai-by-design?ts=markdown)

* [Prisma AIRS](https://www.paloaltonetworks.com/prisma/prisma-ai-runtime-security?ts=markdown)

* [AI Access Security](https://www.paloaltonetworks.com/sase/ai-access-security?ts=markdown)

* [Cloud Delivered Security Services](https://www.paloaltonetworks.com/network-security/security-subscriptions?ts=markdown)

* [Advanced Threat Prevention](https://www.paloaltonetworks.com/network-security/advanced-threat-prevention?ts=markdown)

* [Advanced URL Filtering](https://www.paloaltonetworks.com/network-security/advanced-url-filtering?ts=markdown)

* [Advanced WildFire](https://www.paloaltonetworks.com/network-security/advanced-wildfire?ts=markdown)

* [Advanced DNS Security](https://www.paloaltonetworks.com/network-security/advanced-dns-security?ts=markdown)

* [Enterprise Data Loss Prevention](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Enterprise IoT Security](https://www.paloaltonetworks.com/network-security/enterprise-device-security?ts=markdown)

* [Medical IoT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [Industrial OT Security](https://www.paloaltonetworks.com/network-security/medical-device-security?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [Next-Generation Firewalls](https://www.paloaltonetworks.com/network-security/next-generation-firewall?ts=markdown)

* [Hardware Firewalls](https://www.paloaltonetworks.com/network-security/hardware-firewall-innovations?ts=markdown)

* [Software Firewalls](https://www.paloaltonetworks.com/network-security/software-firewalls?ts=markdown)

* [Strata Cloud Manager](https://www.paloaltonetworks.com/network-security/strata-cloud-manager?ts=markdown)

* [SD-WAN for NGFW](https://www.paloaltonetworks.com/network-security/sd-wan-subscription?ts=markdown)

* [PAN-OS](https://www.paloaltonetworks.com/network-security/pan-os?ts=markdown)

* [Panorama](https://www.paloaltonetworks.com/network-security/panorama?ts=markdown)

* [Secure Access Service Edge](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Prisma SASE](https://www.paloaltonetworks.com/sase?ts=markdown)

* [Application Acceleration](https://www.paloaltonetworks.com/sase/app-acceleration?ts=markdown)

* [Autonomous Digital Experience Management](https://www.paloaltonetworks.com/sase/adem?ts=markdown)

* [Enterprise DLP](https://www.paloaltonetworks.com/sase/enterprise-data-loss-prevention?ts=markdown)

* [Prisma Access](https://www.paloaltonetworks.com/sase/access?ts=markdown)

* [Prisma Browser](https://www.paloaltonetworks.com/sase/prisma-browser?ts=markdown)

* [Prisma SD-WAN](https://www.paloaltonetworks.com/sase/sd-wan?ts=markdown)

* [Remote Browser Isolation](https://www.paloaltonetworks.com/sase/remote-browser-isolation?ts=markdown)

* [SaaS Security](https://www.paloaltonetworks.com/sase/saas-security?ts=markdown)

* [AI-Driven Security Operations Platform](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cloud Security](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Cortex Cloud](https://www.paloaltonetworks.com/cortex/cloud?ts=markdown)

* [Application Security](https://www.paloaltonetworks.com/cortex/cloud/application-security?ts=markdown)

* [Cloud Posture Security](https://www.paloaltonetworks.com/cortex/cloud/cloud-posture-security?ts=markdown)

* [Cloud Runtime Security](https://www.paloaltonetworks.com/cortex/cloud/runtime-security?ts=markdown)

* [Prisma Cloud](https://www.paloaltonetworks.com/prisma/cloud?ts=markdown)

* [AI-Driven SOC](https://www.paloaltonetworks.com/cortex?ts=markdown)

* [Cortex XSIAM](https://www.paloaltonetworks.com/cortex/cortex-xsiam?ts=markdown)

* [Cortex XDR](https://www.paloaltonetworks.com/cortex/cortex-xdr?ts=markdown)

* [Cortex XSOAR](https://www.paloaltonetworks.com/cortex/cortex-xsoar?ts=markdown)

* [Cortex Xpanse](https://www.paloaltonetworks.com/cortex/cortex-xpanse?ts=markdown)

* [Unit 42 Managed Detection \& Response](https://www.paloaltonetworks.com/cortex/managed-detection-and-response?ts=markdown)

* [Managed XSIAM](https://www.paloaltonetworks.com/cortex/managed-xsiam?ts=markdown)

* [Threat Intel and Incident Response Services](https://www.paloaltonetworks.com/unit42?ts=markdown)

* [Proactive Assessments](https://www.paloaltonetworks.com/unit42/assess?ts=markdown)

* [Incident Response](https://www.paloaltonetworks.com/unit42/respond?ts=markdown)

* [Transform Your Security Strategy](https://www.paloaltonetworks.com/unit42/transform?ts=markdown)

* [Discover Threat Intelligence](https://www.paloaltonetworks.com/unit42/threat-intelligence-partners?ts=markdown)

## Company

* [About Us](https://www.paloaltonetworks.com/about-us?ts=markdown)
* [Careers](https://jobs.paloaltonetworks.com/en/)
* [Contact Us](https://www.paloaltonetworks.com/company/contact-sales?ts=markdown)
* [Corporate Responsibility](https://www.paloaltonetworks.com/about-us/corporate-responsibility?ts=markdown)
* [Customers](https://www.paloaltonetworks.com/customers?ts=markdown)
* [Investor Relations](https://investors.paloaltonetworks.com/)
* [Location](https://www.paloaltonetworks.com/about-us/locations?ts=markdown)
* [Newsroom](https://www.paloaltonetworks.com/company/newsroom?ts=markdown)

## Popular Links

* [Blog](https://www.paloaltonetworks.com/blog/?ts=markdown)
* [Communities](https://www.paloaltonetworks.com/communities?ts=markdown)
* [Content Library](https://www.paloaltonetworks.com/resources?ts=markdown)
* [Cyberpedia](https://www.paloaltonetworks.com/cyberpedia?ts=markdown)
* [Event Center](https://events.paloaltonetworks.com/)
* [Manage Email Preferences](https://start.paloaltonetworks.com/preference-center)
* [Products A-Z](https://www.paloaltonetworks.com/products/products-a-z?ts=markdown)
* [Product Certifications](https://www.paloaltonetworks.com/legal-notices/trust-center/compliance?ts=markdown)
* [Report a Vulnerability](https://www.paloaltonetworks.com/security-disclosure?ts=markdown)
* [Sitemap](https://www.paloaltonetworks.com/sitemap?ts=markdown)
* [Tech Docs](https://docs.paloaltonetworks.com/)
* [Unit 42](https://unit42.paloaltonetworks.com/)
* [Do Not Sell or Share My Personal Information](https://panwedd.exterro.net/portal/dsar.htm?target=panwedd)
  ![PAN logo](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/pan-logo-dark.svg)
* [Privacy](https://www.paloaltonetworks.com/legal-notices/privacy?ts=markdown)
* [Trust Center](https://www.paloaltonetworks.com/legal-notices/trust-center?ts=markdown)
* [Terms of Use](https://www.paloaltonetworks.com/legal-notices/terms-of-use?ts=markdown)
* [Documents](https://www.paloaltonetworks.com/legal?ts=markdown)

Copyright © 2026 Palo Alto Networks. All Rights Reserved

* [![Youtube](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/youtube-black.svg)](https://www.youtube.com/user/paloaltonetworks)
* [![Podcast](https://www.paloaltonetworks.com/content/dam/pan/en_US/images/icons/podcast.svg)](https://www.paloaltonetworks.com/podcasts/threat-vector?ts=markdown)
* [![Facebook](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/facebook-black.svg)](https://www.facebook.com/PaloAltoNetworks/)
* [![LinkedIn](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/linkedin-black.svg)](https://www.linkedin.com/company/palo-alto-networks)
* [![Twitter](https://www.paloaltonetworks.com/etc/clientlibs/clean/imgs/social/twitter-x-black.svg)](https://twitter.com/PaloAltoNtwks)
* EN  
  Select your language