What is the NYDFS Cybersecurity Regulation?

By Jeff Aldorisio

Posted on Feb 22, 2019

In September 2016, the New York Department of Financial Services (NY DFS) announced its landmark Cybersecurity Regulation, creating the first regulatory cybersecurity-specific compliance requirement. Enforced beginning on February 15, 2019, the NY DFS Cybersecurity Regulation requires all Covered Entities and licensed persons who are not fully exempt from the Regulation to submit a Certification of Compliance. The document provides an attestation covering compliance for the 2018 calendar year. Despite being enforceable for two years, NY DFS filed its first charges in July 2020. With the agency now showing its teeth, understanding the NY DFS cybersecurity regulation requirements can protect data and reputation.

What is the NY DFS Cybersecurity Rule?

The NY DFS Cybersecurity Regulation, 23 NYCRR 500, intends to promote supply chain cybersecurity across the financial services industry by creating a rigorous risk-based approach to cybersecurity and vendor risk management.

The law establishes sixteen cybersecurity compliance requirements including:

  • 500.2: Establishing a cybersecurity program
  • 500.3: Creating a cybersecurity policy
  • 500.4: Appointing a Chief Information Security Officer (CISO)
  • 500.5: Engaging in penetration testing
  • 500.6: Establishing an audit trail
  • 500.7: Creating access privileges according to the principle of least privilege
  • 500.8: Ensuring application security
  • 500.9: Establishing a risk assessment
  • 500.10: Appointing cybersecurity personnel and intelligence
  • 500.11: Creating a third-party service provider security policy
  • 500.12: Enforcing multi-factor authentication
  • 500.13: Limiting data retention
  • 500.14: Establishing training and monitoring programs
  • 500.15: Encrypting nonpublic information (NPI)
  • 500.16: Establishing an incident response plan

What is a Certification of Compliance?

Organizations that need to meet NY DFS Cybersecurity Regulation compliance must complete the Certification of Compliance confirming compliance using the DFS Portal where they enter the following information:

  • Entity or First name
  • Last name (for individuals)
  • Employed by (for individuals)
  • Social Security or Tax ID Number
  • Address
  • Date of birth (for individuals)
  • Type of license or field of business
  • Phone number
  • Who reviewed the certification of compliance
  • Name of Board member(s) certifying
  • Titles
  • Email
  • Covered Entity Tax ID Number
  • Date Board resolved any compliance findings
  • Year

This entry serves as an attestation that the organization has engaged in the appropriate compliance requirements even though no documentation needs to be uploaded to the portal. However, Under 23 CRR-NY 500.2 “Cybersecurity program,” the law notes that regulated entities must make all documentation available to the superintendent upon request. Ultimately, while the law does not specify an audit requirement, the attestation provided in the Certification of Compliance indicates that the appropriate audit trail documents exist and can be provided to the superintendent.

Does 23 CRR-NY 500 have any exemptions?

Although most financial services organizations need to meet NY DFS Cybersecurity Regulation compliance, a few limited exemptions exist.

Small businesses

Under the law, limited exemptions exist for small businesses. To qualify, a company must meet at least one of the following requirements:

  • Fewer than 10 employees
  • New York business operation gross annual revenue of less than $5 million for the preceding three fiscal years
  • Less than $10m in year-end total assets

These organizations are only exempt from the following sections:

  • 500.4
  • 500.5
  • 500.6
  • 500.8:
  • 500.12
  • 500.14
  • 500.15
  • 500.16

Covered by organization’s program

Any covered entity employees, agents, representatives, or designees who would also be considered covered entities can use the original company’s cybersecurity program and need not create their own.

Lack of systems and data

Another set of limited exemptions can be applied to a covered entity that neither directly nor indirectly incorporates information systems into its business and does not nor is required to directly or indirectly manage any NPI. These organizations are exempt from:

  • 500.2
  • 500.6
  • 500.7
  • 500.8
  • 500.10
  • 500.12
  • 500.14
  • 500.15
  • 500.16

Corporate non-public information only

Additionally, organizations under article 70 of the Insurance Law that only manage their corporate parent company’s non-public information are exempt from:

  • 500.2
  • 500.3
  • 500.4
  • 500.5
  • 500.6
  • 500.7
  • 500.8
  • 500.10
  • 500.12
  • 500.14
  • 500.15
  • 500.16

Continuously monitor with SecurityScorecard

SecurityScorecard enables covered entities to monitor their own security posture as well as that of their vendors. Our platform uses outside-in approach measures risk across ten categories and provides organizations with easy-to-read ratings. The A-F rating scale applies to the overarching security posture and to the individual risk categories so that companies can prioritize risk mitigation strategies.

No waiting, 100% Free

Get your personalized scorecard today

Get your free scorecard and learn how you stack up across 10 risk categories. Answer a few simple questions and we'll instantly send your score to your business email.

Get Your Free Score

Get In Touch

Thank you for contacting us!