Data Protection in Financial Services Week 2025 – Webinar Recordings Now Live
Data Protection in Financial Services (DPFS) Week 2025 consisted of a series of webinars featuring industry leaders who offered invaluable insights on balancing AI with privacy, cybersecurity, and regulatory challenges within the financial services industry. DPFS Week was relevant to all those in financial services, including those in banking, insurance, fintech, funds, payments, private equity, securities, wealth management, and other sectors.
New York Department of Financial Services (NYDFS) Clarifies Expectations for Third-Party Cybersecurity Risks Under its Cybersecurity Regulation, and Additional Amendments Go into Effect on November 1, 2025
On October 21, 2025, NYDFS, the New York State agency responsible for regulating financial services and products, issued an Industry Letter clarifying how “Covered Entities”[1] should manage cybersecurity risks arising from Third‑Party Service Providers (TPSPs) under the NYDFS Cybersecurity Regulation (23 NYCRR Part 500).
Consumer Financial Protection Bureau Releases Proposed Rule on Fair Credit Reporting Act
On December 3, 2024, the U.S. Consumer Financial Protection Bureau (the CFPB) announced a notice of proposed rulemaking that seeks to significantly expand the scope of the Fair Credit Reporting Act and its implementing regulation, Regulation V (collectively, the FCRA), and to impose new requirements on covered parties, such as data brokers (the Proposed Rule).1 If implemented as currently drafted, the Proposed Rule would increase the amount of information defined as a “consumer report” and the number of persons defined as a “consumer reporting agency.” Moreover, it would create new requirements in relation to certain permissible purposes for which a consumer reporting agency may furnish a consumer report to a party.
New EU Cyber Law for the Financial Services Industry with Significant Impact on ICT Service Providers
The new EU Regulation on Digital Operational Resilience for the Financial Sector (DORA) recently entered into force. DORA establishes cybersecurity requirements for information and communication technology (ICT) systems supporting the business processes of financial entities and represents a paradigm shift for the ICT sector. Critical ICT third-party service providers, who are providing services to regulated financial entities, will also be directly regulated under DORA and subject to regulatory supervision by a regulator to be established under DORA (a so-called ‘Lead Overseer’).
