New York’s New Security Rules Emphasize Identity and Access Management

In September 2016, New York Governor Andrew Cuomo announced new regulations that established minimum security requirements for the protection of sensitive data in the financial services sector. The first state-mandated regulations of their kind in the nation, the new rules cover banks, insurance companies, and other financial services firms licensed by the New York Department of Financial Services (DFS), as well as third-party service providers that have access to the firms’ data. Most of the provisions went into effect on March 1, 2017, though some include transition periods of six months to two years.

The DFS released the final version of the rules on February 16, 2017. At a high level, covered entities must establish security policies and programs designed to protect IT systems and any confidential information stored on those systems. Such entities must improve their ability to monitor user activity, track access privilege, and maintain logs of unauthorized access attempts. They must also document an incident response plan. To adhere to the new rules, organizations might find it necessary to invest in integrated security operations platforms with behavioral analytics and threat intelligence capabilities.

New York financial services firms might be the first that are required to comply with the new regulations related to access controls and data protection, but it’s only a matter of time before other organizations face similar obligations. Smart organizations will begin to investigate identity and access management (IAM) and data governance tools to enhance their security posture and prepare for future regulatory requirements.

Identity and access management (IAM) is a primary emphasis of the new regulations. That’s because perimeter, system, and device-level access controls are no longer sufficient to secure data across on-premises, cloud-based, and hosted services. Roles and privileges must be defined and managed based on the type of data to be protected, where it’s stored, and how it’s shared.

Covered entities also have to implement stricter procedures for sharing information with third parties. This requires identity governance and the enforcement of access policies both inside and outside the network perimeter. Furthermore, username and password credentials are no longer sufficient for users who access data via an external network; multifactor, risk-based authentication is required.

Encryption of data in transit as well as at rest is required under the rules. In addition, effective data governance processes must be implemented across both internal and third-party environments. Records relevant to financial transactions and business operations must be retained for five years, and records related to the detection of and response to cybersecurity events must be retained for three years. Nonpublic information must be destroyed after the applicable retention period expires.

Financial services firms outside New York can’t assume they’ve dodged a regulatory bullet. The rules apply to outside organizations that do business in New York as well as those physically located in the state. Organizations that fail to comply could face substantial penalties and sanctions.

The new regulations are expected to serve as a baseline for the financial services sector and will have an impact far beyond state lines due to the global reach of New York financial institutions. Other states and industries will be watching closely to see how the rules are implemented, what challenges are experienced, and what modifications might be necessary.


If you would like more information about how the right IAM solution can help you meet industry specific security requirements, please reach out to us via email at (

Leave a Comment