NYDFS

At Access Point Consulting, our team possesses in-depth knowledge and experience in the regulations set forth by the New York Department of Financial Services (NYDFS). We are dedicated to ensuring that your organization and its operations fully adhere to NYDFS requirements, allowing you to concentrate on your primary objectives. By entrusting your NYDFS compliance needs to us, your organization can realize significant benefits, as our outsourced services offer a more cost-effective alternative to maintaining an internal compliance team.

Our Approach

Because the enforcement of NYDFS compliance comes from outside your company, this validation approach can enhance trust and credibility with clients, partners, and regulatory bodies, even as it demonstrates a responsible approach to safeguarding sensitive financial information. Our approach follows three central tenets:

Transparency

Transparency is at the core of our approach to NYDFS compliance at Access Point. We believe in reporting all findings, whether positive or negative, to ensure you have a clear understanding of your compliance status. By providing comprehensive and honest assessments, we empower your informed decision-making on NYDFS compliance initiatives. We also provide metrics so that you can broadcast the effectiveness of your compliance program.

Leadership

The surge in regulatory demands across finance has heightened the industry’s vulnerability to investigations, underscoring the criticality of a robust NYDFS compliance program. Effective compliance leadership serves as a key resource to oversee and manage the intricacies of the NYDFS compliance program on a daily basis. By providing guidance and implementing best practices, the strong compliance leadership we provide spares your organization regulatory troubles while ensuring ongoing compliance with NYDFS regulations.

Collaboration

We take a collaborative approach to guide your organization towards NYDFS compliance, leveraging the collective expertise of various Access Point departments. By working synergistically, we ensure that your systems meet the necessary regulations and standards. Our Compliance team supports other internal departments by staying abreast of changes in regulations, industry standards, and emerging threats, keeping everyone informed and aligned. This allows us to capitalize on each other's strengths to deliver optimal outcomes to our clients.

Program Deliverables

Policy Development & Implementation

Policies are high-level statements of intention that set the expectations for meeting the organizational objectives (e.g. “We will encrypt data at rest, in use and in transit”). Access Point can assess current policies, identify any gaps, and assist with implementing and socializing the new policies to ensure they adhere to the proper regulations.

Awareness & Training

As technology continues to evolve so does the volume and variety of cyber threats and attacks. In addition, with more than 300 million people now working remotely, insider threats can cost companies an average of $7.5 million annually. Access Point can help organizations promote a cybersecurity awareness culture by implementing continuous training and educating staff, contractors, and third parties on the risk they could pose to the company through their daily activities.

Audit Readiness

Achieving audit readiness can be challenging due to the ever-changing landscape of complex cyber and privacy laws and regulatory requirements. Access Point will review your organization’s administrative, technical, and physical controls against security control frameworks to ensure they are compliant with relevant regulatory and legal statutes. Our team will provide clients with detailed reports outlining compliance status and will include recommended actions.

IT General Controls (ITGCs) Assessment

To support IT applications, it is important to have the appropriate controls in place to ensure that applications are working as intended. The areas of focus for ITGCs are Access Control, Change Management, DevOps, and Program Management. Access Point can perform an overall assessment of the management controls in the organization’s environment to determine if and where there are gaps. Our services ensure that systems, processes, and procedures are aligned with the current controls and operate effectively.

An Overview of NYDFS

The New York Department of Financial Services (NYDFS) Cybersecurity Regulation, also known as 23 NYCRR 500, is a regulation that establishes cybersecurity requirements for financial services companies operating in the state of New York. It was first issued in March 2017 and is considered one of the first state-level regulations that specifically focuses on cybersecurity risk management. The regulation applies to all entities operating under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law, or the Financial Services Law of New York.

The NYDFS Cybersecurity Regulation is designed to promote the protection of customer information as well as the information technology systems of regulated entities. It requires covered entities to assess their cybersecurity risk and implement a comprehensive cybersecurity program accordingly. The regulation outlines specific requirements, including but not limited to:

The establishment of a cybersecurity program designed to protect the confidentiality, integrity, and availability of information systems.

The adoption of a written cybersecurity policy or policies, approved by senior management or the board of directors, that address areas such as data governance, asset inventory and device management, access controls, cybersecurity risk assessment, and incident response.

The designation of a Chief Information Security Officer (CISO) responsible for overseeing and implementing the cybersecurity program and enforcing its policy.

The Privacy Rule establishes standards for the protection of individuals' medical records and other personal health information

The development and implementation of an incident response plan.