Photo of Ted Augustinos

Ted Augustinos

Subscribe to Ted Augustinos's Posts

Ted advises clients on cutting-edge privacy and data protection matters. Clients trust him to help them navigate emerging state privacy laws including the California Consumer Privacy Act, and cybersecurity requirements such as the NY DFS Cybersecurity Regulation.

Follow:Read more about Ted AugustinosTed's Linkedin Profile
Data_1200x600_GettyImages-2157013271

On April 22, the U.S. House of Representatives Financial Services Committee and the Energy and Commerce Committee jointly unveiled a paired privacy package that, taken together, would substantially recast the federal obligations for the treatment of consumer data. The “Guidelines for Use, Access, and Responsible Disclosure of Financial Data Act” (the GUARD Financial Data Act) would update and enhance Title V of the Gramm‑Leach‑Bliley Act (GLBA) for financial institutions. The “Securing and Establishing Consumer Uniform Rights and Enforcement over Data Act” (the SECURE Data Act) would create a national, cross‑sector privacy framework that would have applicability and features similar to the current patchwork of state comprehensive privacy laws, with strong entity-level and data-level exemptions for financial institutions and financial data subject to GLBA (and for HIPAA-covered entities and business associates, certain nonprofits, and institutions of higher education).

istock_102344703_og_cybersecurity-privacy

Key Point: Under the revised NYDFS Cybersecurity Regulation, covered entities must implement and enforce MFA for all access to all information systems — not just adopt MFA tools — and carefully document any CISO-approved compensating controls. Given the November 1, 2025 effective date of the new, expanded MFA requirement, and the annual certification of compliance for 2025 due April 15, 2026, now is the time for covered entities to review carefully their compliance in view of the NYDFS interpretations and guidance.

Cyber_1200x600_GettyImages-1987307560

Key point: All businesses struggle with cybersecurity risks presented by their service providers. New guidance from the NY DFS applies to all DFS regulated entities, but the guidance would assist any business in any industry in addressing these risks.

On October 21, 2025, the New York Department of Financial Services (the “DFS”) issued important guidance for covered entities (including all DFS licensees) for managing their cybersecurity risk related to third-party service providers (“TPSPs”). Industry Letter – October 21, 2025: Guidance on Managing Risks Related to Third-Party Service Providers | Department of Financial Services specifically includes the covered entity’s use of cloud, file transfer, AI and fintech providers (“Guidance”). According to the DFS, the “Guidance does not impose new requirements or obligations . . ..” Rather, “it is intended to clarify regulatory requirements, recommend industry best practices . . ., and promote compliance . . ..” The Guidance highlights that managing the cybersecurity risk presented by TPSPs “remains a crucial element of a Covered Entity’s cybersecurity program,” and notes that it applies to all covered entities, regardless of size.