The New York Department of Financial Services (NYDFS) is the state regulatory agency responsible for supervising and regulating financial services and products in New York State. It was established in 2011 through the merger of the New York State Banking Department and the New York State Insurance Department.

NYDFS plays a crucial role in safeguarding the integrity of New York’s financial markets and protecting consumers from financial fraud and abuse. 

The department oversees a wide range of financial institutions, including banks, insurance companies, mortgage lenders, and other financial services providers.

NYDFS regulates various aspects of the financial services industry, including licensing, supervision, enforcement, and consumer protection. Its regulatory authority extends to both traditional financial institutions and emerging financial technologies, reflecting the evolving nature of the financial services landscape.

What is the NYDFS Cybersecurity Regulation?

The New York State Department of Financial Services (NYDFS) introduced its cybersecurity regulation in response to the increasing frequency and sophistication of cyber threats targeting financial institutions. 

The regulation aims to protect consumers’ sensitive data and ensure the stability and integrity of the financial services industry within the state. 

These elements comprise various sub-regulations and prerequisites. Failure to comply with NYDFS regulations can result in severe penalties, including fines, sanctions, and even loss of licensure, which can significantly impact a company’s reputation and bottom line.

Who falls under the scope of the NYDFS cybersecurity regulation?

The NYDFS Cybersecurity Regulation encompasses entities operating under or mandated to operate under DFS licensure, registration, or charter, including DFS-regulated entities and unregulated third-party service providers to regulated entities. 

Covered institutions are mandated to tackle emerging cybersecurity challenges as outlined in the NYDFS Cybersecurity Regulation, which exceeds industry standards in several aspects. 

Key requirements include data encryption, annual certification for compliance verification, implementation of enhanced multi-factor authentication for inbound network connections, and mandatory documentation and reporting of all cybersecurity events.

While there are exemptions to certain provisions of the Regulation, they apply to organizations with fewer than 10 employees, generating less than $5 million in gross annual revenue from New York operations over the past three years, or holding less than $10 million in year-end total assets.

A cybersecurity initiative in accordance with the NYDFS Cybersecurity Framework will conform to several essential mandates, following the framework established by the NIST Cybersecurity Framework:

• Identification of all cybersecurity threats, whether internal or external.
• Implementation of defense mechanisms to safeguard against these threats.
• Utilization of systems to detect cybersecurity incidents promptly.
• Prompt response to all identified cybersecurity incidents.
• Undertaking measures for recovery following each cybersecurity event.
• Compliance with diverse obligations for regulatory reporting.

Phased implementation of NYDFS

The NYDFS Cybersecurity Regulation (23 NYCRR 500) mandates cybersecurity standards for financial institutions under the jurisdiction of the New York Department of Financial Services (NYDFS). 

Introduced on February 16th, 2017, following feedback from both industry stakeholders and the public, these regulations consist of 23 sections detailing the criteria for establishing and executing a robust cybersecurity framework. 

Covered institutions are obliged to evaluate their cybersecurity vulnerabilities and formulate strategies to preemptively mitigate these risks. 

The regulation incorporates a phased implementation approach comprising four phases, affording organizations the opportunity to progressively enhance their cybersecurity protocols and safeguards.

Phase 1: Cybersecurity policy development

The commencement of the NYDFS Cybersecurity Regulation on February 15, 2018, ushered in a series of requirements for covered organizations, including the establishment of a comprehensive cybersecurity policy. 

This policy mandate encompasses the formulation of an incident response plan, necessitating data breach notifications within 72 hours of detection. 

Aligned with industry best practices and ISO 27001 standards, the policy must cover critical areas such as:

• Information security, 
• Access controls, 
• Disaster recovery planning, 
• Systems and network security, and 
• Customer data privacy. 

Moreover, organizations must conduct regular risk assessments to inform their cybersecurity posture and ensure ongoing compliance with the regulation.

Phase 2: Reporting procedures

Under phase two of the NYDFS Cybersecurity Regulation, which took effect on March 1, 2018, Chief Information Security Officers (CISOs) are tasked with preparing an annual report. 

Additionally, covered institutions must develop and implement a cybersecurity program that continuously evaluates vulnerabilities, enabling proactive responses to emerging threats and compliance with regulatory mandates.

Phase 3: Program development

Phase three of the regulation, effective as of September 3, 2018, mandates covered institutions to establish a comprehensive cybersecurity program. 

Financial institutions subject to NYDFS regulation must develop comprehensive cybersecurity programs tailored to their specific risks and operational requirements. 

These programs typically include elements such as:

This program encompasses various key elements, including:

• Maintenance of an audit trail reflecting threat detection and response activities.

• Written documentation of procedures for in-house and third-party applications.

• Detailed data retention policies, and robust security control measures such as encryption.

The program aims to ensure that organizations have effective mechanisms in place to safeguard sensitive data and systems from cyber threats.

Phase 4: Third-party security

The final phase, effective since March 1, 2019, requires covered institutions to finalize policies regarding third-party access to systems and files covered by the regulation. 

These policies must cover:

• A risk assessment of third-party service providers
• Security requirements for conducting business with such entities
• Processes for evaluating the effectiveness of third-party security practices
• Periodic assessments of third-party policies and controls

Additional requirements

• Covered entities must employ qualified and continuously trained cybersecurity personnel to manage evolving threats effectively.

• They are required to notify the NYDFS about all cybersecurity events that carry a “reasonable likelihood” of causing material harm, enabling regulatory oversight and intervention.

• Access privileges must be monitored and limited to prevent unauthorized access to sensitive data and systems.

• Compliance with data encryption, multi-factor authentication, incident reporting, and annual certification requirements is mandatory to enhance cybersecurity resilience and regulatory compliance.

Consequences and penalties for violations

While details regarding fines for violations remain undisclosed, penalties for violations will be determined, with potential ramifications for covered entities. 

As the regulation becomes fully enforced, violations may be alleged and founded, potentially leading to public disclosure of fees and other consequences.

NYDFS Regulation: Benefits and drawbacks 

Guidelines for adhering to NYDFS cybersecurity regulation

Navigating the demands of the new NYDFS Cybersecurity Regulation poses a pressing challenge for financial institutions. Key practices involve timely compliance with all stipulations, careful attention to deadlines, and the appointment of a proficient Chief Information Security Officer (CISO) to orchestrate an effective response. 

To prepare for compliance with the NYDFS Cybersecurity Regulation, it is imperative to:

1. Evaluate whether your institution falls under the “covered” category. While exemptions exist, exempt organizations must officially file within 30 days after the end of the latest fiscal year. For clarification on your organization’s status, consult the NYDFS website’s “Who We Supervise” page.

2. Formulate a regulatory compliance team within your organization. Every covered, non-exempt financial institution should designate a CISO. While the CISO bears ultimate responsibility for compliance, achieving and sustaining compliance typically necessitates a collaborative effort, given the enterprise-wide implications of the new regulations.

3. Assess your organization’s risk profile comprehensively. Although the required Risk Assessment was due by March 1, 2018, ongoing, periodic risk assessments are crucial for identifying vulnerabilities and proactively addressing emerging threats.

4. Adhere strictly to all prescribed deadlines. The final provisions of the new regulation came into effect on March 1, 2019. Refer to the complete regulation document for further clarity on compliance requirements.

Wrapping up

In conclusion, the New York Department of Financial Services (NYDFS) plays a crucial role in regulating the financial services industry and safeguarding against cyber threats. By enforcing cybersecurity regulations and standards, NYDFS aims to protect sensitive data, mitigate risks, and enhance the resilience of financial institutions. 

As the financial landscape continues to evolve and cyber threats become more sophisticated, compliance with NYDFS regulations is paramount for organizations operating in the financial sector. 

To ensure compliance and bolster cybersecurity measures, organizations should leverage tools like Scrut, which provides comprehensive cybersecurity solutions tailored to NYDFS requirements. With Scrut, organizations can strengthen their security posture, achieve regulatory compliance, and safeguard their reputation and assets in an increasingly digital world. Book a demo today to learn more.

Frequently Asked Questions