NYDFS Cybersecurity Regulation

On February 16, 2017, the New York State Department of Financial Services (NYDFS or DFS) released rules to place cybersecurity requirements on all covered financial institutions. The initial phase of the NYDFS Cybersecurity Regulation went into effect on February 15, 2018 

What is NYDFS Cybersecurity Regulation?

NYDFS Cybersecurity Regulation, also known as the 23 NYCRR 500, is the department of the New York state government responsible for regulating financial services and products, including those subject to the New York insurance, banking, and financial services laws.

What types of organizations must comply with NYDFS?

The NYDFS Cybersecurity Regulation applies to all entities operating under or required to operate under DFS licensure, registration, or charter, or which are otherwise DFS-regulated, as well as, by extension, unregulated third-party service providers to regulated entities. Examples of covered entities include:

  • State-chartered banks
  • Licensed lenders
  • Private bankers
  • Foreign banks licensed to operate in New York
  • Mortgage companies
  • Insurance companies
  • Third-Party Service providers

There are limited exemptions to the NYDFS Cybersecurity Regulation. 

What are the key requirements of NYDFS?

NYDFS Cybersecurity Regulation aligned with the NIST Cybersecurity Framework:

What are the cybersecurity policy requirements under NYDFS?

NYDFS requires covered organizations to develop a cybersecurity policy, including an incident response plan that includes data breach notifications within 72 hours. The policy must address concerns in alignment with industry best practices and ISO 27001 standards. Most notably, the policy must cover:

What are the reporting procedures under NYDFS?

NYDFS requires covered institutions to prepare an annual report that includes:

Also, covered institutions are required to develop and implement a cybersecurity program that continuously evaluates vulnerabilities, which not only informs the annual report but also enables the organization to develop proactive responses to threats.

Any penalty for non-compliance with NYDFS?

Violations can incur fines of $250,000 or one percent of total banking assets.

How to meet NYDFS Cybersecurity Regulation?

Financial institutions face a near-term compliance challenge in the face of new NYDFS Cybersecurity Regulation. Best practices involve meeting all the requirements in a timely manner, paying special attention to deadlines. In preparing for NYDFS Cybersecurity Regulation compliance, be sure to:

  • Assess whether your institution classifies as "covered"
  • Assemble your organization's regulatory compliance team
  • Understand your risk profile
  • Adhere to all deadlines

Where can I get help with NYDFS?

Secured Transactions cybersecurity team can help you to meet NYDFS Cybersecurity Regulation requirements. To request a one-hour free consultation, please fill out the simple form, one of our cybersecurity compliance experts will contact you promptly.

Contact Person*
Email Address*
Job Title
Company Name*
Company Website

About the Author: Jenny Jo

Jenny Jo is the president and co-founder of MJJT Consultants. Ms. Jo is a Software Engineer, a Cyber Security Auditor, and an IT Project Manager. She is also a Certified Informatin Security Manager (CISM) which certifies her to audit information systems, as well as design, build, and magage businesses' information security programs.