On February 16, 2017, the New York State Department of Financial Services (NYDFS or DFS) released rules to place cybersecurity requirements on all covered financial institutions. The initial phase of the NYDFS Cybersecurity Regulation went into effect on February 15, 2018
NYDFS Cybersecurity Regulation, also known as the 23 NYCRR 500, is the department of the New York state government responsible for regulating financial services and products, including those subject to the New York insurance, banking, and financial services laws.
The NYDFS Cybersecurity Regulation applies to all entities operating under or required to operate under DFS licensure, registration, or charter, or which are otherwise DFS-regulated, as well as, by extension, unregulated third-party service providers to regulated entities. Examples of covered entities include:
There are limited exemptions to the NYDFS Cybersecurity Regulation.
NYDFS Cybersecurity Regulation aligned with the NIST Cybersecurity Framework:
NYDFS requires covered organizations to develop a cybersecurity policy, including an incident response plan that includes data breach notifications within 72 hours. The policy must address concerns in alignment with industry best practices and ISO 27001 standards. Most notably, the policy must cover:
NYDFS requires covered institutions to prepare an annual report that includes:
Also, covered institutions are required to develop and implement a cybersecurity program that continuously evaluates vulnerabilities, which not only informs the annual report but also enables the organization to develop proactive responses to threats.
Violations can incur fines of $250,000 or one percent of total banking assets.
Financial institutions face a near-term compliance challenge in the face of new NYDFS Cybersecurity Regulation. Best practices involve meeting all the requirements in a timely manner, paying special attention to deadlines. In preparing for NYDFS Cybersecurity Regulation compliance, be sure to:
Secured Transactions cybersecurity team can help you to meet NYDFS Cybersecurity Regulation requirements. To request a one-hour free consultation, please fill out the simple form, one of our cybersecurity compliance experts will contact you promptly.