NYDFS Cybersecurity Regulation

On February 16, 2017, the New York State Department of Financial Services (NYDFS or DFS) released rules to place cybersecurity requirements on all covered financial institutions. The initial phase of the NYDFS Cybersecurity Regulation went into effect on February 15, 2018 

NYDFS Cybersecurity Regulation, also known as the 23 NYCRR 500, is the department of the New York state government responsible for regulating financial services and products, including those subject to the New York insurance, banking, and financial services laws.

The NYDFS Cybersecurity Regulation applies to all entities operating under or required to operate under DFS licensure, registration, or charter, or which are otherwise DFS-regulated, as well as, by extension, unregulated third-party service providers to regulated entities. Examples of covered entities include:

• State-chartered banks
• Licensed lenders
• Private bankers
• Foreign banks licensed to operate in New York
• Mortgage companies
• Insurance companies
• Third-Party Service providers

There are limited exemptions to the NYDFS Cybersecurity Regulation. 

NYDFS Cybersecurity Regulation aligned with the NIST Cybersecurity Framework:

• Cyber Security Program
• Cyber Security Policies
• Audit Trail
• Application Security
• Awareness Training
• System Monitoring
• Incident Response Plan
• Risk Assessments

NYDFS requires covered organizations to develop a cybersecurity policy, including an incident response plan that includes data breach notifications within 72 hours. The policy must address concerns in alignment with industry best practices and ISO 27001 standards. Most notably, the policy must cover:

• Information security Program
• Access controls
• Disaster recovery planning
• Systems and network security
• Customer data privacy 
• Regular risk assessments 

NYDFS requires covered institutions to prepare an annual report that includes:

• The organization’s cybersecurity policies and procedures
• The organization’s security risks
• The effectiveness of the organization’s existing cybersecurity measures

Also, covered institutions are required to develop and implement a cybersecurity program that continuously evaluates vulnerabilities, which not only informs the annual report but also enables the organization to develop proactive responses to threats.

Violations can incur fines of $250,000 or one percent of total banking assets.

Financial institutions face a near-term compliance challenge in the face of new NYDFS Cybersecurity Regulation. Best practices involve meeting all the requirements in a timely manner, paying special attention to deadlines. In preparing for NYDFS Cybersecurity Regulation compliance, be sure to:

• Assess whether your institution classifies as "covered"
• Assemble your organization's regulatory compliance team
• Understand your risk profile
• Adhere to all deadlines

Secured Transactions cybersecurity team can help you to meet NYDFS Cybersecurity Regulation requirements. To request a one-hour free consultation, please fill out the simple form, one of our cybersecurity compliance experts will contact you promptly.