  
|
Posted By Robert Treuber,
Friday, April 4, 2025
|
Superintendent Harris’s Operations and Technology Transformation Hits
Major Milestones with DFS Connect Launch and 1000 Hires and Promotions
Since January 2022 The New York State Department of Financial Services
(DFS) today launched the DFS Connect platform, marking a significant
milestone in the Department’s ongoing operations and technology
transformation. Under Superintendent Adrienne Harris’s leadership, over
the past three years, DFS has executed a strategic plan to invest in
human capital, modernize technological resources, and streamline
processes. These efforts ensure that DFS remains a forward-thinking,
responsive regulator in an evolving financial landscape. “Over the
last three years, we have cultivated a culture of innovation, invested
in new technological infrastructure, and updated key processes,” said Superintendent Harris. “DFS
Connect is a pivotal example of how we are innovating to enhance
regulatory oversight while making it easier for New Yorkers and
businesses to engage directly with the agency,” Over the course of
the next three years, the DFS Connect digital portal will centralize
the Department’s interactions with regulated entities and consumers. DFS
Connect is eliminating outdated, fragmented systems and replacing them
with a single, streamlined platform that enhances efficiency, improves
oversight, and ensures better service to businesses and consumers. With
today’s launch, New Yorkers can now submit complaints about
prescription drug costs, pharmacy benefit managers (PBMs), and drug
manufacturers. Once a complaint is submitted, an individual can track
its status in real-time and communicate directly with DFS staff about
their issue. By 2027, all consumer complaints and regulatory functions
agency-wide, such as licensing, renewals, examinations, financial
statements and legal filings, will be handled seamlessly through DFS
Connect. Since 2022, DFS has prioritized modernizing its
regulatory infrastructure to ensure it is well-equipped to manage
emerging risks. This has included a comprehensive technology overhaul,
the establishment of the agency’s first Data Governance Office, and the
hiring of the Department’s first-ever Chief Technology Officer and Chief
Risk Officer. These steps have allowed DFS to enhance its analytical
capabilities, implement real-time risk monitoring, and improve
decision-making processes. DFS has also invested heavily in
strengthening its workforce, hiring and promoting more than 1,000
individuals over the past three years, including the first class of
financial services examiner trainees since 2018. Additionally, the
Department has expanded its regulatory capabilities by establishing the
Climate Division and the Pharmacy Benefit Unit and elevating key
operational functions by creating an executive leadership role dedicated
to internal operations. These staffing investments, combined with
business process redesign efforts, have eliminated backlogs that had
persisted for years. Since implementing a new regulatory tracking system
in 2023, DFS has now cleared more than 30,000 backlogged regulatory
filings, ensuring more efficient oversight of financial institutions. The
Department will continue to invest in cutting-edge technology,
data-driven oversight, and a highly skilled workforce to maintain its
status as a 21st-century regulator. By enhancing its efficiency and
responsiveness, DFS is not only adapting to the complexities of the
modern financial landscape but also strengthening protections for New
Yorkers and the financial system at large. For more information or to sign up for DFS Connect, visit the DFS website or the DFS Connect platform.
Tags:
consumer
DFS
portal
Regulations
Permalink
| Comments (0)
|
|
|
Posted By Robert Treuber,
Tuesday, November 14, 2023
|
The
New York State Department of Financial Services (DFS) alerts all
regulated entities to take immediate action to investigate and, if
applicable, to mitigate the following cybersecurity
threat.
On
November 7, 2023, the U.S. Department of Homeland Security’s
Cybersecurity and Infrastructure Security Agency (CISA) released
guidance for addressing a critical vulnerability
designated as CVE-2023-4966 which impacts multiple versions of Citrix
NetScaler ADC and Gateway products. The vulnerability, also known as
Citrix Bleed, could allow a cyber actor to take control of an affected
system.
Threat
actors are actively exploiting this vulnerability. According to
Citrix’s website, there are reports of session hijacking and targeted
attacks. Citrix strongly urges all
affected users to immediately install recommended builds and to
terminate and clear all active and persistent sessions. Please refer to
the
Citrix Security Blog for details and the necessary commands.
An
additional vulnerability has been found in customer-managed instances
of Citrix NetScaler ADC (formerly Citrix ADC) and NetScaler Gateway
(formerly Citrix Gateway) CVE-2023-4967.
Exploitation of these vulnerabilities can result in deployment of ransomware, data theft, and business disruption.
DFS
advises all regulated entities to assess promptly the risk to their
organization, customers, consumers, and third-party service providers
based upon the evolving information
and to take action to mitigate risk. As you assess risk, we recommend
reviewing the
CISA Alert and the
Citrix Security Bulletin and
Security Blog.
Regulated
entities are reminded to report Cybersecurity Incidents that meet the
criteria of 23 NYCRR Section 500.17(a) as promptly as possible and
within 72 hours at the latest
via the secure
DFS Portal. As of December 1,
2023, regulated entities who decide to make cyber extortion payments
must report such payments to DFS within 24 hours and within 30 days
provide a description of the rationale for, and diligence
undertaken in connection with, making such payment. For more
information, visit DFS’s Cybersecurity
Resource Center.
If others in your
organization should receive this cybersecurity information, please
forward this email. Additional interested parties may also
opt-in to receive "Cybersecurity Updates" from DFS.
Tags:
cybersecurity
DFS
Permalink
| Comments (0)
|
|
|
Posted By Robert Treuber,
Wednesday, November 8, 2023
|
Download the regulation HERE Check this Newsblog and the Calendar for announcements on cybersecurity training and compliance education, currently under development.
Tags:
compliance
cybersecurity
DFS
Permalink
| Comments (0)
|
|
|
Posted By Robert Treuber,
Monday, March 14, 2022
Updated: Monday, March 14, 2022
|
Annual Certifications of Compliance
The Certification of Compliance is a critical governance pillar of the cybersecurity programs of all Covered Entities. Prior to April 15th of each year, all Covered Entities must file a Certification of Compliance confirming their compliance with the
Cybersecurity Regulation for the previous calendar year.
An entity or individual should only submit a Certification if they were in compliance with all portions of the regulations that applied to that Covered Entity during the time period the Certification covers. Even if a Covered Entity qualifies for an exemption
pursuant to 500.19(a), (c), or (d), it has to submit a Certification of Compliance to demonstrate that it was in compliance with the sections of the regulation that apply pursuant to the particular exemption. (The exemption set forth in 500.19(b)
is the only exemption that does not require a Covered Entity to file a Certification of Compliance.)
Certifications of Compliance for the calendar year 2021 are due by April 15, 2022. Covered Entities that hold more than one license must file a separate Certification of Compliance for each license it holds.
Instructions on how to file a Certification of Compliance can be found by clicking https://www.dfs.ny.gov/system/files/documents/2019/12/cyber_cert_compliance_filing.pdf
Covered Entities Do Not Need to File New Notices of Exemption
Any DFS regulated entity or licensed person who filed a Notice of Exemption previously
does not need to refile a Notice of Exemption. However, if your exempt status has changed, then the entity or individual should amend or terminate their filing through the DFS portal.
How to File
The DFS Cybersecurity Portal has been redesigned to assist you with your filings. To ensure that filings are matched to the appropriate Covered
Entity or licensed person, we encourage the use of an identifying number when filing. Identifying numbers are New York State License number, NAIC/NY Entity number, NMLS number or Institution number. Please make sure that you have your license number
available when you make your filing. A look-up feature is included in the Portal for anyone who does not know which number to use.
To get started please visit the DFS Cybersecurity Portal: https://myportal.dfs.ny.gov/web/cybersecurity/
Tags:
compliance
cyber
cybersecurity
DFS
Licensing
Regulations
technology
Permalink
| Comments (0)
|
|
|
Posted By Robert Treuber,
Tuesday, April 14, 2020
Updated: Tuesday, April 14, 2020
|
Released on April 13, 2020
https://www.dfs.ny.gov/industry_guidance/industry_letters/il20200413_covid19_cybersecurity_awareness
Re: Guidance to Department of Financial Services (“DFS”) Regulated Entities Regarding Cybersecurity Awareness During COVID-19 Pandemic
To: All New York State Regulated Entities
As we face an unprecedented threat from the novel coronavirus known as “COVID-19,” every organization’s highest priority must be health and safety. The extraordinary steps necessary to combat the COVID-19 pandemic have also created new challenges as regulated entities work to continue operating and providing critical services. Among these new risks is a significant increase in cybercrime, as criminals seek to exploit the situation.[1]
The Department of Financial Services (“DFS”) has identified several areas of heightened cybersecurity risk as a result of this crisis. As called for by DFS’s cybersecurity regulation, 23 NYCRR Part 500, regulated entities should assess the risks described below and address them appropriately.[2]
We also remind all regulated entities that, under 23 NYCRR Section 500.17(a), covered Cybersecurity Events must be reported to DFS as promptly as possible and within 72 hours at the latest. Prompt reporting will enable DFS to respond quickly to new threats as DFS works to protect consumers and the financial services industry in these difficult times.
Heightened Risks
- Remote Working
The abrupt shift to mass remote working forced by COVID-19 has created new security challenges, and attackers are exploiting these new vulnerabilities.[3] These heightened risks to regulated entities’ networks and Nonpublic Information[4] include:
- Secure Connections. Companies should make remote access as secure as possible under the circumstances. This includes the use of Multi-Factor Authentication and secure VPN connections that will encrypt all data in transit. See 23 NYCRR §§ 500.12 & 500.15.
- Company-Issued Devices. As new devices such as computers and phones are acquired or repurposed for remote working, regulated entities should ensure that they are properly secured. This includes locking down the devices so applications cannot be added or deleted by the user, and installing appropriate security software, such as Endpoint Detection & Response and Mobile Device Management.
- Bring Your Own Device (BYOD) Expansion. Regulated entities that have expanded their BYOD policies to enable mass remote working should be aware of the security risks and consider mitigating steps. Some personal devices are not properly secured or are already compromised. If an expanded BYOD policy is necessary, compensating controls should therefore be considered.
- Remote Working Communications. Remote working has increased reliance on video and audio-conferencing applications, but these tools are increasingly targeted by cybercriminals. Regulated entities should configure these tools to limit unauthorized access, and make sure that employees are given guidance on how to use them securely.
- Data Loss Prevention. Employees may be using unauthorized personal accounts and applications, such as email accounts, to remain productive while remote working. Regulated entities should remind employees not to send Nonpublic Information to personal email accounts and devices. Anticipating and solving productivity problems will reduce the temptation to use such devices.
- Increased Phishing and Fraud
There has been a significant increase in online fraud and phishing attempts related to COVID-19. For example, the FBI has reported that criminals are using fake emails that pretend to be from the Centers for Disease Control and Prevention (“CDC”), ask for charitable contributions, or offer COVID-19 relief such as government checks.[5]
-
Regulated entities should remind their employees to be alert for phishing and fraud emails, and revisit phishing training and testing at the earliest practical opportunity. Now that face-to-face work is curtailed, authentication protocols may need to be updated – especially for key actions, like security exceptions and wire transfers.
- Third-Party Risk
The challenges created by the COVID-19 pandemic have also affected third-party vendors, and regulated entities should re-evaluate the risks to critical vendors. See 23 NYCRR § 500.11. Regulated entities should coordinate with critical vendors to determine how they are adequately addressing the new risks.
Conclusion
The COVID-19 pandemic has disrupted normal operations in the financial services industry and beyond, and cyber criminals are exploiting the crisis. Despite the extraordinary challenges, regulated entities should remain vigilant. By following good cybersecurity practices, entities can identify, mitigate, and manage the risks.
[1] See DHS Cybersecurity and Infrastructure Security Agency (“CISA”), COVID-19 Exploited by Malicious Cyber Actors (April 8, 2020).
[2] Heightened cyber risk should also be addressed in the COVID-19 operational preparedness plans called for by DFS guidance issued on March 10, 2020. See Guidance to New York State Regulated Institutions and Request for Assurance of Operational Preparedness Relating to the Outbreak of the Novel Coronavirus.
[3] See FBI, Cyber Actors Take Advantage of COVID-19 Pandemic to Exploit Increased Use of Virtual Environments (April 1, 2020); U.S. Secret Service, Secret Service Issues COVID-19 (Coronavirus) Phishing Alert (March 9, 2020).
[4] 23 NYCRR § 500.01(g).
[5] See FBI, FBI Sees Rise In Fraud Schemes Related to the Coronavirus (COVID-19) Pandemic (March 20, 2020).
Tags:
Coronavirus
COVID-19
cybersecurity
DFS
technology
Permalink
| Comments (0)
|
|
|
Posted By Robert Treuber,
Saturday, April 4, 2020
Updated: Saturday, April 4, 2020
|
https://www.dfs.ny.gov/industry_guidance/industry_letters/il20200403_paycheck_protection_loan_program
Industry Letter
April 3, 2020
To: The Chief Executive Officers or the Equivalents of New York State Regulated Institutions
The New York State Department of Financial Services (Department) is issuing this letter with respect to the Paycheck Protection Loan Program (the Program) created by the recently enacted Coronavirus Aid, Relief and Economic Security Act (CARES Act), through which the U.S. Small Business Administration’s (SBA’s) 7(a) Loan Program [1] will offer a new loan product. The CARES Act provides for forgiveness of up to the full principal amount of qualifying loans guaranteed under the Program.
As you know, the COVID-19 pandemic has placed many small businesses, not-for-profit organizations and their employees in dire need of funding to survive. The Program is intended to provide economic relief to small businesses nationwide, including the many New York businesses that have been significantly adversely impacted by the COVID-19 pandemic.
Yesterday, the SBA issued its interim final rule, announcing the implementation of the CARES Act for the Program. The interim final rule includes formal guidance that outlines the key elements of the SBA’s implementation of the Act, and the SBA requests public comments.
The interim final rule provides that a lending institution does not need to conduct any verification if the borrower submits documentation supporting its request for a loan and attests that it has accurately verified the payments for eligible costs. The SBA Administrator will hold harmless any lender that relies on such borrower documents and attestations. The loans guaranteed under the Program will be under the same terms, conditions and processes as other 7(a) loans with certain exceptions, such as the guarantee percentage being 100%, and the lack of a requirement for collateral or personal guarantees.
The Program authorizes existing 7(a) lenders to participate in the Program, and allows for the authorization of additional 7(a) lenders if the lender is (1) a federally insured depository institution or a federally insured credit union; (2) any Farm Credit system institution with certain exceptions; and (3) certain specified types of depository and non-depository financing providers that originate, maintain and service business loans or other commercial financial receivables and participation interests, subject to meeting certain additional criteria.
Small business lending is at the core of what many of your institutions do every day. Your knowledge of the local markets and community needs, along with your underwriting skills, are exceptionally important during this time of crisis. Your active participation is critical to the success of this Program and the much needed help our small businesses deserve during this unprecedented interruption to their operations and the lives of many of their employees.
The Department strongly encourages all its institutions that are eligible to participate in the Program to participate and provide this desperately needed help to small businesses so they can weather the current crisis and sustain their employee base, subject to their safety and soundness requirements. The Department also encourages those that are not currently eligible for participation to obtain eligibility so they can participate in the Program.
The Department appreciates all of your hard work to keep the financial system open and operating in New York State and commends you for your leadership and support of small businesses during the current crisis.
Sincerely,
Linda A. Lacewell, Superintendent
New York State Department of Financial Services
1 The 7(a) Loan Program is the SBA’s primary program for providing financial assistance to small businesses.
Tags:
COVID-19
DFS
Lacewell
SBA
Permalink
| Comments (0)
|
|
|
Posted By Robert Treuber,
Saturday, April 4, 2020
|
Guidance to Insurance Producers regarding Electronic Delivery of Notices
Guidance to Insurance Producers regarding Electronic Delivery of Notices Pursuant to new 11 NYCRR § 229.5(b) and 3 NYCRR § 405.6(b)(4)
The Department of Financial Services (“Department”) is aware of insurance producers (“Producers”) facing challenges complying with the notice obligations in new 11 NYCRR § 229.5(b) and 3 NYCRR § 405.6(b)(4) described below (“Notice Obligations”).
First, regarding obtaining consumers’ consent to electronic communications, please see the Department’s Current Guidance Regarding Electronic Signatures, Transactions, and Filings with DFS.
Second, the Department is accommodating Producers by reducing their burden to fulfill the Notice Obligations during the current state of emergency. Specifically, for the duration of the current state of emergency, Producers may comply with the Notice Obligations by emailing the notices to the consumers for which the Producers have email addresses, regardless of whether the consumers have consented to receiving this notice via email.
Producers with websites should post the information on their websites as soon as possible. The Department also encourages supplemental dissemination of the content of the Notice Obligations by other means, including social media.
Finally, Producers should maintain records of their communications with consumers, electronic or otherwise, used to satisfy the Notice Obligations for a period of time sufficient to satisfy applicable statutes of limitation and, where an action or claim is pending, for such period of time until the matter is resolved. See Office of General Counsel Opinion 05-03-32 (March 24, 2005). In addition, if a Producer obligated itself by contract with its principal, the insurer or insured, to retain records for a period of time, then such obligation, if legally enforceable, must be satisfied, subject to an alternative acceptable to the principal. These communications used to satisfy the Notice Obligations may be subject to Department review, including but not limited to, on examination.
Below is a summary of the insurance producer requirement in the relevant emergency regulations.
New 11 NYCRR § 229.5(b) and 3 NYCRR § 405.6(b)(4) require a licensed insurance producer who services an in-force life insurance policy, annuity contract, or fraternal benefit society certificate or who procured a property/casualty insurance policy for the policyholder or contract holder to mail or deliver notice to the policyholder or contract holder of the provisions of 11 NYCRR 229 and 3 NYCRR § 405.6 within ten business days following the promulgation of 11 NYCRR 229 and 3 NYCRR § 405.6.
Tags:
Coronavirus
COVID-19
DFS
disclosure
Regulations
Permalink
| Comments (0)
|
|
|
Posted By Jean Partridge, Agent Section Vice-chair,
Wednesday, August 1, 2018
|
The recent decision by Judge Rakower and the ensuing developments have been overwhelming to understand at times. Much of this complexity was explained at the two Town Hall meetings but of course every member was not able to attend those sessions.
Therefore, we are providing you with a brief summary of the status of the litigation below. I will do my best to keep this simple and concise.
- We brought our suit in the NY State Supreme Court in New York County.
- The case was assigned to Judge Rakower and pleadings were filed by our attorneys.
- The Attorney General’s (AG) office representing the DFS replied to our pleadings and we responded.
- A hearing was held before Judge Rakower on June 14, 2018.
- Judge Rakower rendered a decision on July 5th.
- The decision effectively nullified Regulation 208 in its entirety.
- The AG filed a notice of appeal on July 6th.
- The AG immediately notified our attorneys of their intention to seek an emergency stay of the judge’s decision. An emergency stay, If granted , would postpone the judge’s ruling of annulling the regulation and “reimpose” the Regulation 208 until the case was heard on appeal in the Appellate Division).
- The AG later informed our counsel that they would NOT be seeking an emergency stay.
- Both the AG and NYSLTA must file additional pleadings with the Appellate Division prior to the next court appearance.
The earliest this matter could come before the Appellate judges is October. Given the congestion of the court’s schedule, it could slip to late October or later. Until then, the regulation 208 is annulled. All other regulations pertaining to the title industry remain in effect.
We will continue to keep you advised.
Tags:
Article 78
DFS
litigation
Reg 208
Regulations
Permalink
| Comments (0)
|
|
|
Posted By Robert Treuber,
Sunday, July 8, 2018
Updated: Sunday, July 8, 2018
|
To NYSLTA Members –
As you may have seen in the New York Times, The NY Law Journal, Crain’s NY and The Real Deal, on July 5, 2018, Judge Eileen Rakower in New York County Supreme Court ruled in favor of the NYSLTA, Venture Title and Great American Title Agency by declaring NYDFS Regulation 208 annulled in its entirety.
The following day, the DFS filed an appeal with the Appellate Division.
The judge’s ruling and the DFS appeal can be viewed online, here: https://bit.ly/2KO7u8T
There is a natural exuberance at our victory in Supreme Court and a sense of vindication. These emotions are to be enjoyed but tempered with an understanding of the “big picture” and the realization that this matter is not yet settled.
First, act professionally.
When this is all behind us, there will still be a DFS and we will still be a regulated industry. Heed the advice of Ron Burgundy and “stay classy”. This is not a time for grandstanding and chest-thumping.
Second, be mindful of everything we have learned about DFS in this process.
We can assume greater scrutiny, an expanded market conduct investigation and efforts to provide evidence for the DFS claims of deceptive practices. Don’t give your adversary the rope she will use to hang you.
The “safe harbor” is to operate one’s business conservatively. Are your disclosures in order? Are you fully in compliance with Regulation 206? Does your cybersecurity program meet all requirements of the regulation?
Third, silence is golden.
Resist the lure of a request for comment from a reporter “on a tight deadline”. If you have seen some of the news stories, you can see how innocuous statements can appear disparaging to the entire industry.
As we learn more about the implications of the DFS appeal, more information will be forthcoming to Members. Town Halls are being planned for Westchester and Long Island. Details to follow.
The Underwriters and the Agent Members have funded a significant victory for the title industry. A handful of people have dedicated hundreds of hours to prosecuting this case for the benefit of everyone.
Thank you for your support.
Thank you for being the New York State Land Title Association.
Tags:
Article 78
DFS
litigation
Reg 208
Regulations
Permalink
| Comments (0)
|
|
|
Posted By Robert Treuber,
Monday, June 18, 2018
|
On June 14, 2018, Judge Rakower granted the request for a stay on the filing of a premium rate reduction, per Regulation 208.
Please see the attached document.
Attached Files:
Tags:
Article 78
DFS
Reg 208
Regulations
Permalink
| Comments (0)
|
|
Print Page
Blog Home
All Blogs
RSS