What is the NYDFS Cybersecurity Regulation?

Back to Blog

What is the NYDFS Cybersecurity Regulation?

The New York State Department of Financial Services (DFS) has been closely monitoring the ever-growing threat posed to information and financial systems by nation-states, terrorist organizations, and independent criminal actors, particularly against financial services organizations. In response, DFS established a set of rules and regulations which requires annual certification to prove covered organizations are in compliance with specific IT security requirements.  

The NYDFS Cybersecurity Regulation (23 NYCRR 500)  includes 23 sections that outline requirements for enacting a cybersecurity program. The regulation requires covered institutions to assess their cybersecurity risks and develop plans to proactively address those risks.  

Does the NYDFS Regulation Apply to Your Organization or Client? 

The NYDFS Cybersecurity Regulation applies to all entities operating under, or required to operate under, DFS licensure, registration, or charter, or which are otherwise DFS-regulated, as well as third-party service providers servicing regulated entities. 

Covered entities include, but are not limited to: 

  • Banking organizations 
  • Financial services companies 
  • Insurance companies 
  • HMOs and continuing care retirement communities 
  • Not-for-profit mortgage brokers 
  • Third party service providers 
  • Certified reinsurers 
  • Credit line providers 
  • Exam monitors 
  • Companies with approval to use ISO 
  • Medical malpractice insurers authorized in New York 
  • Purchasing groups registered in New York 
  • Risk retention groups registered in New York 

What Does NYDFS Require? 

The NYDFS Cybersecurity Regulation imposes cybersecurity rules on covered organizations, including the installment of detailed cybersecurity plans, designation of a Chief Information Security Officer (CISO), implementation of a cybersecurity policy, and initiation and ongoing reporting for cybersecurity events.  

How do You or Your Client Comply with the NYDFS Regulation? 

To comply with NYDFS Cybersecurity Regulation, you or your client will need to adhere to several requirements that are similar to the NIST Cybersecurity Framework: 

  • Identify all cybersecurity threats…internal and external 
  • Employ defenses to protect against threats 
  • Implement systems to detect cybersecurity events 
  • Address all detected cybersecurity events 
  • Remediate every cybersecurity event 
  • Perform required regulatory reporting 

Compliance Manager GRC allows you to use all your current IT security tools, software, and systems to meet the requirements of the NYDFS Cybersecurity Regulation…while you maintain compliance with all your other IT requirements, regardless of source.  

The built-in Standard Management Template allows you to quickly determine if you can “check the boxes” for every requirement, identifies the gaps, and automatically prepares all the documents you need to meet NYDFS compliance. 

To learn how Compliance Manager GRC can help you manage NYDFS compliance, as well as many other mandated regulations, request a demo today.