New York State Department of Financial Services (NYS DFS) cybersecurity compliance law has been in effect since March 1, 2017. According to this new law, financial organizations are required to implement specific cybersecurity assurances to their systems. Financial institutions subject to the regulation are expected to be compliant with the first set of requirements by August 28, 2017.

In February 2017 the New York State Department of Financial Services (NYS DFS) issued a new cybersecurity regulation for banks, insurance companies and other financial institutions subject to NYS DFS jurisdiction. The NYS DFS developed this regulation over the past few years by conducting three industry surveys, holding multiple meetings with financial service firms and soliciting feedback from other US regulators.

organizations that are required by law to comply*

According to NYS DFS the regulation covers all entities operating under or required to operate under DFS licensure, registration, or charter, or which are otherwise DFS-regulated, as well as, by extension, unregulated third party service providers to regulated entities.

State-chartered banks

Licensed lenders

Private bankers

Foreign banks licensed to operate in New York

Service contract providers

Trust companies

Mortgage companies

Any insurance company doing business in NY

Financial services firms with fewer than 10 employees, less than $5 million in gross annual revenue for three years, or less than $10 million in year-end total assets are exempt.*

New York State is the first to act and its new regulation establishes requirements that go beyond federal requirements in many important areas. According to The National Law Review, “The new regulation will be felt far beyond the state of New York and will likely become the baseline standard for the financial services industry.”

*Exemptions: (1) fewer than 10 employees, including any independent contractors, of the Covered Entity or its Affiliates located in New York or responsible for business of the Covered Entity, or (2) less than $5,000,000 in gross annual revenue in each of the last three fiscal years from New York business operations of the Covered Entity and its Affiliates, or (3) less than $10,000,000 in year-end total assets, calculated in accordance with generally accepted accounting principles, including assets of all Affiliates, shall be exempt from the requirements of sections 500.04, 500.05, 500.06, 500.08, 500.10, 500.12, 500.14, 500.15, and 500.16 of this Part.

Cybersecurity requirements by law to comply*

See Cybersafe Solutions Compliance Aligning Services

•  Implement a cybersecurity program
– Identify and assess internal/external cybersecurity risks
  Risk Assessment
– Use defensive infrastructure
  Managed Detection Response & Containment
– Implementation of policies and procedures
  Security Policy Development
– Detect cybersecurity events
  Managed Detection Response & Containment
– Respond to identified or detected cybersecurity events
  Managed Detection Response & Containment
– Recover from cybersecurity events
  Managed Detection Response & Containment
– Restore normal operations and services
 Managed Detection Response & Containment
– Written procedures, guidelines and standards
  Security Policy Development
•  Implement and maintain a written policy or policies
  Security Policy Development

• Appoint a CISO who must update your board (in-house or third party)
  Virtual CISO Service

•  Continuous monitoring or periodic penetration testing and vulnerability assessments 
Managed Detection Response & Containment
  Penetration Testing
• Notify regulators of breaches within 72 hours of incident
• Maintain audit trails for five years
  Managed Detection Response & Containment
• Periodic risk assessment
  Risk Assessment

• Ensure the security of third party service providers
• Use multi-factor authentication or alternative access controls

• Training and monitoring the activity of privileged users
  Security Awareness Training & Simulated Phishing Tests
• Encryption of nonpublic information

• Establish an incident response plan
  Security Policy Development

• Protect all nonpublic information
• Destroy nonpublic information periodically and securely
• Certify regulatory compliance annually + more
   Virtual CISO Service


Cybersecurity compliance law, by the New York State Department of Financial Services (NYS DFS) has been in effect since March 1, 2017. Financial institutions subject to the regulation are expected to be compliant. 

2017 August 28, Past Due
2018 February 15, Past Due
  • Submit annual certification of compliance with the NYS DFS regulations (500.17b)
2018 March 1, Past Due
  • Designate a Chief Information Security Officer (CISO) who will provide annual report to Board of Directors or equivalent governing body. (500.04)
    Virtual CISO
  • Conduct periodic risk assessments (500.09)
    Risk Assessment 
  • Continuous monitoring or periodic penetration testing and vulnerability assessments (500.05)
    Managed Detection Response & Containment
    Penetration Testing
  • Use multi-factor authentication for individuals accessing enterprise networks from an external network (500.12)
  • Implement written policies and procedures to ensure the security of Third Party Service Providers (500.11)
    Security Policy Development 

*For full regulations list and deadlines: New York State Department of Financial Services 23 NYCRR 500 click here.

Is your organization NYS DFS compliant?

For answers to your questions and the latest information that ensures NYS DFS regulations compliance, contact us today.

Cybersafe’s team of cyber experts have developed and implemented hundreds of Written Information Security Programs
(WISP’s) in both the public and private sectors. One of the key components of an Information Security Program is
establishing an Information Security Policy that reflects the organization’s objectives as it pertains to security.

Prior to establishing an Information Security Policy, it’s critical we find out how management views security. While many security policies share common themes, we understand that each organization is unique and must develop its own set of policies customized to its distinct way of conducting business. It is important that an organization’s security policies always reflect actual practice to which everyone agrees and complies. Our team takes a holistic approach to implementing an Information Security Program that includes policies and procedures to protect the confidentiality, integrity and availability of an organizations’ sensitive data. The failure to protect all three of these could result in legal liability, regulatory fines, loss of business and customer trust.