NYDFS Cybersecurity Regulation: What You Need to Know

January 02, 2017 Sarah Challis Articles, nydfs cybersecurity regulation

new york cybersecurity regulations

Download the free NYDFS cybersecurity regulation checklist here to check if you are compliant.

As a response to the growing threat of cyber-attacks, the New York State Department of Financial Services (NYDFS) has issued a first-in-the-nation cybersecurity regulation.

Who is the regulation for?

The NYDFS cybersecurity regulation is in response to the number of cyber criminals seeking to exploit technological vulnerabilities in order to gain access to sensitive data. Security breaches can cause serious financial losses for DFS-regulated companies, as well as consumers, whose private information is at risk of being revealed and/or stolen for illicit purposes.

Financial Services Superintendent Maria T. Vullo announced that the new regulation requires banks, insurance companies, and any other financial services institutions regulated by NYDFS to create and maintain a cybersecurity program, designed to protect consumers and ensure the safety of New York State’s financial services industry.

New Call-to-action

What is involved?

There is a comprehensive list of requirements designed to protect customer information in the financial services sector. The regulation is a made up of requirements for audit trails, assessments, and a cybersecurity program with dedicated personnel overseeing and enforcing the policies.

To comply, you should have a well-designed cybersecurity framework with the right solutions in place.

Complying with the regulation may create challenges for your organization, especially since IT professionals are already working to keep companies safe in an uncertain environment.

The regulation requires each company to assess its specific risk profile and design a program that assesses its risks at every level, including the application layer, in a “robust” fashion.


What do you need to do?

Here are the main requirements you need to adhere to in order to be compliant (others may apply to you - contact us to speak about your specific needs):

  • Cybersecurity Program (and Documentation) - Have a written cybersecurity program that includes policies and an audit trail that protects the confidentiality, integrity, and availability of the covered entity’s information systems. The program should include annual penetration testing and bi-annual vulnerability assessments.
  • Risk Assessment - Conduct a risk assessment periodically on current information systems.
  • Cybersecurity Policy and Incident Response Plan - Establish an incident response plan designed to promptly respond to, and recover from, any cybersecurity event and notify the superintendent as promptly as possible but in no event later than 72 hours from a determination that a cybersecurity event has occurred.
  • CISO - Have dedicated cybersecurity personnel including a designated Chief Information Security Officer, either employed by the covered entity or a third party service provider.
  • Audit Trail - Have an audit trail designed to detect and respond to cybersecurity events.
  • Limit Access Privileges - Limit access to information systems that provide access to Non-public Information and periodically review accesses.
  • In-House Applications - Should be covered under the cybersecurity program.
  • Continuous Training - Cybersecurity personnel should be kept up-to-date with training and ensure that their knowledge of risks remains current.
  • Third Party Access - Conduct third-party security risk assessments periodically on external service providers. Implement written policies to ensure the security of any information systems, as well as nonpublic information that is accessible by a third party.
  • Controls - Based on the risk assessment, effective controls such as Multi-Factor Authentication or Risk-Based Authentication should be used. Encryption should be used to secure data.
  • Disposal of Information - Have policies and procedures for the secure disposal on a periodic basis of any nonpublic information where it is no longer necessary.


Key dates for compliance

February 15, 2018 - Certificate of compliance is due.

March 1, 2018 - Covered Entities are required to be in compliance with the requirements of sections 500.04(b) (CISO report), 500.05 (Penetration Testing and Vulnerability Assessments), 500.09 (Risk Assessment), 500.12 (Multi-Factor Authentication) and 500.14(b) (Training and Monitoring).

September 3, 2018 - Covered Entities are required to be in compliance with the requirements of sections 500.06 (Audit Trail), 500.08 (Application Security), 500.13 (Limitations on Data Retention), 500.14(a) (Training and Monitoring) and 500.15 (Encryption of Nonpublic Information) of 23 NYCRR Part 500.

March 1, 2019 - Covered Entities are required to be in compliance with the requirements of 23 NYCRR 500.11 (Third Party Service Provider Security Policy).


You may be exempt..

Certain companies are exempt from some parts of the policy such as those with less than 10 employees or which have less than $5,000,000 in gross annual revenue from New York business operations. Please contact us for the full exemption list.

Recent Posts