Guide to the NYDFS Cybersecurity Regulation

Ayush Saxena

Ayush Saxena

Jan 12, 2024

Guide to the NYDFS Cybersecurity Regulation

In Gov. Cuomo’s words: “This regulation helps ensure that  the financial services organizations in the industry fulfill its obligation to safeguard consumers and ensure that its systems are sufficiently constructed to avert cyber-attacks to the fullest extent possible.”

The New York State Department of Financial Services (NYDFS) released the NYDFS Cybersecurity Regulation (23 NYCRR 500) on February 16, 2017, which places cybersecurity requirements on all Covered Entities (financial services companies and financial institutions).

What is NYDFS Cybersecurity Regulation?

The NYDFS Cybersecurity Regulation is applicable to all entities functioning under or required to operate under DFS registration, licensure, or charter, or which are DFS-regulated, and by extension, unregulated third-party service providers to regulated entities are also included in its scope..

It requires Covered Entities(financial services companies and financial institutions) to analyze their cybersecurity risk and implement a plan to proactively address them, with 23 sections outlining requirements for developing as well as implementing an effective cybersecurity program.

After two rounds of public and industry feedback, the NYDFS Cybersecurity Regulation was released, including a phased implementation process in four distinct phases to give companies time to implement more robust controls and policies. 

What is the goal of NYDFS Cybersecurity Regulation?

The goal of NYDFS Cybersecurity Regulation(23 NYCRR Part 500)  is to counter the increasingly volatile cybersecurity climate faced by US financial institutions and respond to the growing sophistication of cybercriminals. It helps promote the integrity of the information technology systems of regulated entities while ensuring the safety of sensitive customer data.

Hackers employ common attack vectors, such as social engineering or deployment of ransomware, among other methods, to gain remote access and remote control of privileged accounts and cybersecurity resources.

The regulation requires supervised entities to analyze their cybersecurity risk profiles and come up with a comprehensive plan that identifies and mitigates that risk. To assist organizations in preventing data breaches, certain regulatory minimum standards have been set, including:

  • Information technology systems should have risk-based minimum standards, including access controls, data protection and encryption, and penetration testing.
  • The program should be adequately funded, managed by a chief information security officer, and carried out by qualified cybersecurity personnel.
  • In order to respond to data breaches, effective incident response plans include preserving data and sending timely notifications to the NYDFS of material events.
  • Accountability is provided by identification and documentation of vulnerabilities, incident response and remediation plans, and certifications of compliance on an annual basis.

Also check :15 Best Cybersecurity tools in 2024

Who falls under the NYDFS Cybersecurity Regulation?

Any business that is regulated by the Department of Financial Services falls under the scope of NYDFS Cybersecurity Regulation. These include:

  • Licensed lenders
  • Trust companies
  • State-chartered banks
  • Mortgage companies
  • Private bankers
  • Service contract providers
  • Non-U.S. banks licensed to function in New York
  • Insurance companies conducting business in New York

Organizations meeting the following requirements are exempt from the regulation:

  • Less than 10 employees
  • Gross annual revenue is less than $5 million for three years
  • Year-end total assets amounting to less than $10 million 

Streamline compliance and secure your business

What are the requirements of NYDFS Cybersecurity?

A cybersecurity program should fulfill several key requirements to comply with the new NYDFS Cybersecurity Regulation. These requirements are also aligned with the NIST Cybersecurity Framework here are a few of the overlapping  requirements are:

  • Identify both internal and external cybersecurity threats
  • Safeguard against threats by employing defense infrastructure 
  • Detect cybersecurity events using a system
  • All detected cybersecurity events must be mitigated
  • Recover from each cybersecurity event
  • For regulatory reporting purposes, fulfill various requirements 

Organizations must ensure centralized logging, endpoint detection, impact assessment, maintain complete asset inventory, fulfill reporting requirements,  and conduct an annual certification process to fulfill NYDFS certification requirements. Senior management or an external party can be involved to assess material cybersecurity risks, align with applicable rules and regulatory requirements, and ensure normal operations while mitigating business impact in the event of a disaster.

Cybersecurity policy design

On February 15, 2018, the NYDFS Cybersecurity Regulations initial phase came into effect. Organizations in its scope are required to develop a cybersecurity policy as well as an incident response plan that shares data breach notifications within 72 hours. While addressing these requirements, it is also important to remember that they must align with the policies of the ISO 27001 standard and industry best practices; the policy must address concerns such as: 

  • Regular risk assessments
  • Information security
  • Customer data privacy
  • Access controls
  • Systems and network security
  • Disaster recovery planning

Reporting Procedures

On March 1, 2018, phase two came into effect, which requires CISOs to create an annual report that includes the following:

  • Cybersecurity policies and procedures implemented by the organization
  • Security risks faced by the organization
  • A measure of the effectiveness of existing cybersecurity measures

A cybersecurity program should be developed and implemented by covered institutions that continuously evaluate vulnerabilities, not only for the purpose of the report but also to enable the organization to take a proactive response to threats.

The latest regulatory updates as per the NYDFS cybersecurity framework will be rolled out gradually over the next couple of years. These changes are aimed at easing the adaptation process with staggered transition periods for different clauses. The Department has thoughtfully outlined guidelines to help various entities, such as small businesses, Class A businesses, and covered entities, understand the compliance timelines.

Mark your calendars: as per the initial compliance checkpoint, set for December 1, 2023, covered businesses are required to comply with section 500.17(a). This section places importance on the obligation to notify NYDFS about cybersecurity events that have also been reported to other authorities. Furthermore, it requires companies to disclose incidents related to ransomware.

Looking ahead, another significant deadline is scheduled on April 15, 2024. This deadline focuses on section 500.17(b), which mandates all entities to furnish a Certification of Material Compliance or Acknowledgment of Noncompliance for the 2023 period. These timelines are crucial benchmarks in the phased enforcement of the Second Amendment.

Program development

On September 3, 2018, phase three came into effect, which required covered institutions to develop a comprehensive cybersecurity program with several key elements, including:

  • An audit trail to reflect threat detection and incident response activities
  • Written documentation of procedures, guidelines, and standards for in-house applications and third-party applications
  • A detailed data retention policy should be established, which includes how nonpublic personal information is disposed
  • Encryption, as well as other robust security control measures

Third-party security

On March 1, 2019, the final requirement came into effect and required covered institutions to finalize their third party data access policies. For third-party security, covered financial institutions are required to develop a written policy with the following details:

  • Details of regular risk assessments of third-party vendors and service providers
  • 3P service providers must meet the requirements security requirements to conduct business with that entity
  • Processes should be established for evaluating the overall effectiveness of a third-party service provider’s security practices
  • Conduct periodic assessments of third-party controls and policies

Additional requirements

Organizations in the scope of the NYDFS Cybersecurity Regulation are also required to:

  • Manage evolving cybersecurity threats and responses by employing qualified, continuously trained cybersecurity personnel. These can constitute third-party actors as well
  • For all events that carry a “reasonable likelihood” of triggering material harm, notify the NYDFS about all cybersecurity
  • Monitor as well as limit access privileges granted to users.

Address New Cybersecurity Challenges

Some requirements under the NYDFS Cybersecurity Regulation go over and beyond existing industry best practices. The most significant are:

  • Data encryption: Organizations must enforce controls depending on the outcome of a risk assessment, including encryption of sensitive data
  • Annual certification: Covered entities must complete certification annually to confirm compliance with the regulations
  • Enhanced multi-factor authentication: implement multi-factor authentication for all inbound connections to the entity’s network.
  • Incident reporting: Covered entities must document as well as report all cybersecurity events

Comply with NYDFS Cybersecurity in 2024

How to become compliant with NYDFS Cybersecurity?

Organizations are required to comply with the practices outlined under the NYDFS Cybersecurity Regulation. They must appoint a CISO, maintain a cybersecurity program in alignment with the NIST Cybersecurity Framework, conduct period risk assessments, and invest in third-party risk and fourth-party risk management programs.

Organizations should take the following steps to become compliant as per NYDFS Cybersecurity:

  • Analyze if they are classified as covered
  • Appoint CISO and assemble a security team that is responsible for the everyday management of compliance
  • Conduct periodic risk assessments and understand their risk profile to identify vulnerabilities and cyber threats by employing a continuous security rating software 
  • Implement a vendor risk management program

Also check: Best vendor risk management tools in 2024

Multi Factor Authentication (MFA), application security, prioritization of cybersecurity risks, administrative controls, password policy, mandatory controls, automatic response triggers, annual penetration tests, and designating dedicated cybersecurity staff can help financial companies get a step closer to NYDFS certification.

What are the latest changes in the NYDFS Cybersecurity Regulation?

The NYDFS cybersecurity regulation has undergone several revisions to address emerging cyber threats and vulnerabilities. The New York Department of Financial Services, on November 1, 2023, added the latest amendment to its cybersecurity regulation. It’s important to note that the final regulation offers some important changes, including:

  • Audit trails—Originally set as five years, data retention requirements were reduced to three years.
  • Notice—Regarding notice provided by Third Party Service Providers, covered Entities’ policies and procedures affect only the Covered Entities’ Nonpublic Information being possessed by that Third Party Service Provider.
  • Reporting—In case of a cybersecurity event to the NYDFS, clarification as to when a Covered Entity must provide notice.
  • Exemptions— The number of employees of a Covered Entity’s New York affiliates and the gross annual revenue constitute the limited exemptions.
  • Insurance— For organizations regulated under the insurance laws of New York, exemption rules are clarified.

Benefits and Challenges of NYDFS Cybersecurity Regulation

The finance industry has a long history of damaging cyber-attacks and data breaches. In response, the NYDFS Cybersecurity Regulation was adopted on March 1, 2017, and paved the way for other states to ordain much-needed cybersecurity regulation. The NYDFS regulation is still in the nascent stage and offers a few pros as well as cons. 

The benefits of NYDFS Cybersecurity Regulation are:

  • Exemption is offered to organizations with less than 10 employees and employing independent contractors.
  • Third-party service providers can be employed by small and medium-sized companies to meet many of the regulation requirements.

The challenges associated with NYDFS Cybersecurity Regulation are:

  • The regulation has undergone several revisions from the proposed versions. All data at rest and in transit was called for encryption, which many financial institutions argued was unnecessarily restrictive.
  • The regulation is woefully out of date even before it was enacted, although it is a much better choice than the regulation in place in other states.

Penalties under NYDFS Cybersecurity

There are no details offered regarding fines for violations as per the current state of the regulation. However, the recent actions exhibit consistent enforcement priorities and, to a greater degree, impose monetary penalties in the $4.5 – $5 million range.

The New York Department of Financial Services (NYDFS), on May 25, 2023, with respect to alleged violations of NYDFS’s Cybersecurity Regulation, levied a $4.25 million fine pursuant to a consent order and pay to settle (23 NYCRR Part 500) on OneMain Financial Group (OneMain). The violations included improperly storing passwords and insufficient risk management from third-party data storage. According to NYDFS, as part of the settlement, OneMain has also agreed to engage in significant remediation measures.

Get compliant across frameworks with Sprinto

Achieving NYDFS compliance is a priority for financial institutions. But is that the only federal requirement? With several federal regulations at play, such as ISO 27001, SOC 2, PCI-DSS, etc., getting compliant across frameworks and safeguarding your data against the everchanging cybersecurity landscape can prove to be overwhelming and challenging. 

Don’t worry, we are here to help!

Sprinto is a powerful security and compliance automation platform that helps you implement security controls across your organization, monitor your cybersecurity posture, and get compliant across frameworks– at scale and entity levels–  all in real time. Use the magic of controlled mapping to get compliant across frameworks such as SOC2, ISO 27001, PCI-DSS, and NYDFS compliance, among others, 10x faster– all from a single dashboard.


What is the purpose of NYDFS?

The purpose of NYDFS is to build a transparent, equitable, and resilient financial system that protects individual’s privacy while supporting businesses.

Who is covered under NYDFS?

Insurance companies, banks,  as well as other regulated financial services institutions operating in New York fall under the scope of the NYDFS Cybersecurity Regulation and are required to assess their cybersecurity risk profile—including branches and agencies of non-US banks licensed in the state of New York.

What is the NYDFS Cybersecurity Regulation 2024?

By November 2024, an important alteration will be implemented for covered entities eligible for a Section 500.19(a) exemption. They will be required to follow the Multi-Factor Authentication provisions under Section 500.12. Additionally, these entities will need to furnish cybersecurity awareness training as outlined under Section 500.14(a)(3). These upcoming changes aim to strengthen cybersecurity measures adopted by businesses.

Ayush Saxena

Ayush Saxena

Ayush Saxena is a senior security and compliance writer. Ayush is fascinated by the world of hacking and cybersecurity. He specializes in curating the latest trends and emerging technologies in cybersecurity to provide relevant and actionable insights. You can find him hiking, travelling or listening to music in his free time.

Here’s what to read next….

Sprinto: Your growth superpower

Use Sprinto to centralize security compliance management – so nothing
gets in the way of your moving up and winning big.