split semiconductor nodes


NYDFS cybersecurity regulation and data disposition

Take decisive action to meet new data retention regulations

Data security remains a top priority for businesses, and many operating in New York now face extra scrutiny. Meeting the various requirements of the New York State Department of Financial Services (NYDFS) cybersecurity regulation can seem daunting. Deloitte offers a road map to help firms reach compliance.

The journey to meet NYDFS cybersecurity regulations

For years, many firms have considered how to develop a timely approach to record disposal, but concerns over cost, implementation, and the risk of deleting critical data held them back. Now, with the NYDFS data disposition mandate, covered entities including banking, insurance, and financial services firms must tackle those barriers head-on.

Rising to the challenge comes with significant benefits:

  • Litigation: Lower risks of lawsuits and lower discovery costs
  • Maintenance: Lower cost of record migration and storage
  • Data security: Fewer records to be stolen and less potential damage to reputation

A framework for NYDFS cybersecurity success

The NYDFS timeline to meet all the requirements began in mid-2017 with the final deadline approaching in September 2018. Implementing the right path to a data security policy must consider all critical dependencies and requirements from all data sources.

Any approach to creating a defensible data disposition program should support an overall records management program. Deloitte developed a structured framework that breaks it down into five phases.

Deloitte’s framework for implementing a defensible records disposition program

Use the arrows to explore the framework.

Where data retention stops and data disposition starts

A cornerstone of the new regulation is protecting nonpublic information. Particularly for broker-dealers, who must follow strict data retention regulations, understanding how the new regulation will affect data disposition is critical, especially when the timing differential is razor-thin.

Though the two sets of regulations may seem compatible, some firms choose to retain records well beyond regulatory requirements to save money and protect against potential risk. Programming record storage systems to recognize triggering events for data disposition can require substantial effort and time. Indefinite data retention may put firms at risk of noncompliance with the new NYDFS cybersecurity regulations.

NYDFS cybersecurity is a reality. Will you be ready to comply?

Implementing a defensible data disposition program can’t be accomplished overnight or even over a few months. The initial deadlines have already passed, and the toughest requirements are looming.

Deloitte professionals offer specific expertise in cyber risk servicesand governance, regulatory, and compliance to help your firm to navigate new policy directives and set a course for success.

Back to top

Get critical insight and advice

from the Deloitte Center for Regulatory Strategy

Read our latest thinking

Meet the authors

Jay Cohen
Managing director | Deloitte Risk and Financial Advisory
Deloitte & Touche LLP
Josh Uhl
Senior manager | Deloitte Risk and Financial Advisory
Deloitte & Touche LLP
George Hanley
Managing director | Deloitte Risk and Financial Advisory
Deloitte & Touche LLP
Joseph Conroy
Manager | Deloitte Risk and Financial Advisory
Deloitte & Touche LLP
Paul Yackinous
Senior manager | Deloitte Risk and Financial Advisory
Deloitte Transactions and Business Analytics LLP
Mat Kotowsky
Specialist senior | Deloitte Consulting
Deloitte Consulting LLP
Steve Allelujka
Senior consultant | Deloitte Risk and Financial Advisory
Deloitte & Touche LLP

Did you find this useful?