The New NYDFS Standard: Prove Your Data Is Secure, or Face Penalties

The New NYDFS Standard: Prove Your Data Is Secure, or Face Penalties

For years, financial institutions treated NYDFS compliance as a documentation exercise. Policies were written, controls were described, and annual certifications were submitted.

That era is over.

The New York Department of Financial Services (NYDFS) now expects firms to prove how they protect Nonpublic Information (NPI) across every system, cloud, and third-party connection. And regulators have shown they will pursue large penalties when firms cannot demonstrate that protection in practice.

This shift has caught many organizations off-guard. They invested in detection tools, audits, and dashboards, but far fewer invested in controls that actually secure data wherever it moves.

This blog breaks down why NYDFS has raised expectations, where organizations are failing, and why data-centric protection is now the control regulators look for.

NYDFS Is No Longer About “Reasonable Security”, It’s About Evidence

NYDFS supervisors have repeatedly stated that certification alone is no longer enough. Firms must be able to show how NPI is segmented, encrypted, and controlled across hybrid and multi-cloud networks.

Recent enforcement actions underline this change:

EyeMed Vision Care — $4.5M penalty

NYDFS found the organization failed to maintain effective access controls and left known security gaps unresolved. Sensitive customer data was exposed, and the regulator concluded the firm lacked proper oversight of systems handling NPI.

First American — $1M penalty

A vulnerability exposed hundreds of millions of documents containing personal and financial information. NYDFS determined the company had known about the issue for years yet did not remediate it or maintain adequate processes to protect NPI.

Both cases share a theme: NYDFS now investigates whether firms can prove their controls work, not whether they just exist on paper.

Why NYDFS-Regulated Firms Are Struggling

Most institutions can see their risk. They have dashboards, scanners, reports, and audits. But very few can control that risk across the places regulators now examine:

  • Multi-cloud estates (AWS, Azure, Google Cloud, private cloud) 
  • A mix of modern and legacy applications 
  • Third-party service providers and integrations 
  • Data flows crossing internal and external boundaries 

In practice, this results in:

  • Inconsistent protection across different clouds 
  • Poor visibility of how NPI moves between systems 
  • Over-reliance on cloud-native encryption, where the provider holds the keys 
  • No way to demonstrate segmentation of sensitive data flows 
  • Weak evidence when regulators ask: “Show us how this data is safeguarded.” 

NYDFS expects consistent protection across every environment where NPI travels, and many organizations simply don’t have a control that can meet that expectation.

Why the Shift to Data-Centric Protection Matters for NYDFS

The most common gap discovered during NYDFS enforcement is data in transit.

Many firms assume the network, the cloud provider, or TLS alone will cover them. Regulators no longer accept that. They expect organizations to enforce protection at the data-flow level, not at the perimeter or the device.

A modern NYDFS-aligned approach requires:

  • Protecting the data itself, not just the network it travels across 
  • Ensuring encryption cannot be bypassed or weakened by misconfigurations 
  • Owning the encryption keys rather than leaving them with AWS, Azure, or Google 
  • Being able to prove which users, systems, or services can access specific data flows 

This is the shift regulators want to see, and the shift most infrastructures were never designed for.

How Certes DPRM Helps Organizations Meet NYDFS Expectations

Certes DPRM (Data Protection & Risk Mitigation) gives financial institutions a single, consistent control they can point to when regulators ask how NPI is secured across their entire environment.

Instead of relying on a mix of cloud-native settings, network rules, and device-level protections, DPRM applies protection directly to each data flow. It keeps those flows isolated, authenticated, and encrypted, whether they move through private cloud, AWS, Azure, Google Cloud, or third-party networks.

Your organization maintains full ownership of encryption keys and policy enforcement, removing the dependency on cloud provider key management. And because DPRM records clear, auditable policies and logs, teams can show regulators exactly how NPI is segmented, governed, and protected.

DPRM is also built for crypto agility. Its quantum-safe design means firms can be ready for the PQC era, avoiding another costly and disruptive compliance cycle.

NYDFS Has Raised the Bar, Firms Need Controls That Can Keep Up

NYDFS is now focused on proof, not promises. If an organization can’t show how NPI is secured across end-to-end data flows, regulators see that as a material gap, no matter how strong the documentation looks.

Certes helps financial institutions replace partial coverage with data protection that works across every cloud, system, and connection. Instead of depending on the network or the provider, DPRM gives teams a straightforward, defensible answer when regulators ask how data is actually protected.

Book your free NYDFS Readiness Briefing and get a clear path to provable protection.

«
»

Leave Comment