NYDFS cybersecurity regulation and data disposition
Take decisive action to meet new data retention regulations
Data security remains a top priority for businesses, and many operating in New York now face extra scrutiny. Meeting the various requirements of the New York State Department of Financial Services (NYDFS) cybersecurity regulation can seem daunting. Deloitte offers a road map to help firms reach compliance.
- NYDFS cybersecurity regulations
- A framework for success
- Where data disposition starts
- Will you be ready to comply?
- Get in touch
The journey to meet NYDFS cybersecurity regulations
For years, many firms have considered how to develop a timely approach to record disposal, but concerns over cost, implementation, and the risk of deleting critical data held them back. Now, with the NYDFS data disposition mandate, covered entities including banking, insurance, and financial services firms must tackle those barriers head-on.
Rising to the challenge comes with significant benefits:
- Litigation: Lower risks of lawsuits and lower discovery costs
- Maintenance: Lower cost of record migration and storage
- Data security: Fewer records to be stolen and less potential damage to reputation
A framework for NYDFS cybersecurity success
The NYDFS timeline to meet all the requirements began in mid-2017 with the final deadline approaching in September 2018. Implementing the right path to a data security policy must consider all critical dependencies and requirements from all data sources.
Any approach to creating a defensible data disposition program should support an overall records management program. Deloitte developed a structured framework that breaks it down into five phases.
Deloitte’s framework for implementing a defensible records disposition program
Use the arrows to explore the framework.
Where data retention stops and data disposition starts
A cornerstone of the new regulation is protecting nonpublic information. Particularly for broker-dealers, who must follow strict data retention regulations, understanding how the new regulation will affect data disposition is critical, especially when the timing differential is razor-thin.
Though the two sets of regulations may seem compatible, some firms choose to retain records well beyond regulatory requirements to save money and protect against potential risk. Programming record storage systems to recognize triggering events for data disposition can require substantial effort and time. Indefinite data retention may put firms at risk of noncompliance with the new NYDFS cybersecurity regulations.
NYDFS cybersecurity is a reality. Will you be ready to comply?
Implementing a defensible data disposition program can’t be accomplished overnight or even over a few months. The initial deadlines have already passed, and the toughest requirements are looming.
Get critical insight and advice
from the Deloitte Center for Regulatory StrategyRead our latest thinking