What Is NYDFS and Why Do You Need to Comply

The New York Department of Financial Services (NYDFS) is a regulatory body that oversees the financial services industry in New York State. It was established in 2011 to protect consumers and maintain the stability of the financial system.

NYDFS has the authority to regulate and supervise a wide range of financial institutions, including banks, insurance companies, and mortgage lenders. This includes requiring them to implement robust cybersecurity measures to protect sensitive customer data.

Compliance with NYDFS regulations is mandatory for any financial institution operating in New York State. Failure to comply can result in severe penalties, including fines and loss of licenses.

Discover more: Part 500 Nydfs

The NYDFS Cybersecurity Regulation has specific compliance requirements that organizations must meet. Covered Entities are required to be in compliance with certain parts of the regulation as soon as August 28, 2017, and must file their first Certification of Compliance with the NYDFS superintendent’s office by February 15, 2018.

To achieve compliance, organizations must develop a cybersecurity program based on a performed risk assessment to protect the confidentiality, integrity, and availability of information systems, as outlined in Section 500.2. This includes implementing a written cybersecurity policy or policies addressing specified areas, such as information security, data governance, and incident response, which must be reviewed on a routine cadence.

A cybersecurity program that complies with the NYDFS Cybersecurity Regulation will adhere to several key requirements, aligned to the NIST Cybersecurity Framework. These requirements include identifying all cybersecurity threats, employing defense infrastructure to protect against those threats, using a system to detect cybersecurity events, responding to all detected cybersecurity events, working to recover from each cybersecurity event, and fulfilling various requirements for regulatory reporting.

Here are the specific requirements outlined in the NYDFS Cybersecurity Regulation:

The NYDFS Cybersecurity Regulation applies to a wide range of entities conducting business in New York. This includes state-chartered banks, foreign banks licensed to operate in New York, insurance companies, and non-U.S. banks licensed to operate in New York.

To be more specific, the regulation covers organizations that are regulated by the Department of Financial Services, such as licensed lenders, trust companies, and service contract providers. Private bankers and mortgage companies are also included.

However, there are some exemptions to the regulation. Organizations with fewer than 10 employees, less than $5 million in gross annual revenue for three years, or less than $10 million in year-end total assets are exempt from certain requirements.

Here's a breakdown of the types of entities that are covered under the NYDFS Cybersecurity Regulation:

It's worth noting that even if an organization is exempt from certain requirements, they may still need to comply with others, especially if they have access to sensitive information.

Compliance with the NYDFS Cybersecurity Regulation requires a robust cybersecurity program that adheres to several key requirements. These include identifying all cybersecurity threats, both internal and external, and employing defense infrastructure to protect against those threats.

The regulation also requires the use of a system to detect cybersecurity events, responding to all detected cybersecurity events, and working to recover from each cybersecurity event. Fulfilling various requirements for regulatory reporting is also a crucial aspect of the regulation.

To become compliant, Covered Entities must file their first Certification of Compliance with the NYDFS superintendent's office by February 15, 2018. They must also adhere to specific parts of the regulation by August 28, 2017.

A cybersecurity program that complies with the NYDFS Cybersecurity Regulation will adhere to the NIST Cybersecurity Framework, which outlines five key functions: Identify, Protect, Detect, Respond, and Recover. These functions serve as a framework for developing a comprehensive cybersecurity program.

Here are the key requirements outlined in the regulation:

If your organization qualifies for exemptions under the NYDFS Cybersecurity Regulation, you may still need to comply with core cybersecurity requirements to meet the NYDFS basic protection standards.

You can qualify for an exemption if your organization meets one of the following criteria: having fewer than 10 employees, including independent contractors, or earning less than $5 million in gross annual revenue from New York operations over the past three years.

Even with an exemption, you'll still need to establish a cybersecurity program that effectively identifies and mitigates risks.

Conducting regular risk assessments to evaluate vulnerabilities and exposure is also a requirement, even for exempt organizations.

Implementing access controls to manage who can access sensitive data is another core requirement that applies to all organizations, exempt or not.

Maintaining an audit trail to track cybersecurity events and activities is a crucial part of meeting the NYDFS basic protection standards.

Utilizing multi-factor authentication (MFA) to secure access to critical systems and sensitive information is also a requirement for all organizations, exempt or not.

Here are the specific exemption criteria:

Reporting requirements for NYDFS are quite detailed and important to get right. You'll need to submit an annual certification to the Superintendent, which must be in the form set forth in Appendix A of the NYDFS Cybersecurity Regulation.

This certification will certify that your organization complies with all the requirements outlined in the regulation. You'll need to maintain records, schedules, and data supporting the certification for five years and make them available for examination by the Department.

Covered entities must also identify areas for improvement and document remedial efforts planned to address these areas. All documentation related to areas for improvement and remedial efforts must be available for inspection by the Superintendent.

If a covered entity identifies areas that require material improvement, updating, or redesign, it must document these identifications and the remedial efforts planned to address them. You'll need to report any cybersecurity events to the NYDFS within 72 hours if the event has a reasonable likelihood of materially harming normal operations.

The report should include a description of the cybersecurity event, the remedial measures taken or planned to address the event, and the status of the investigation into the event. You must also maintain records of all cybersecurity events and provide these records to the NYDFS upon request.

Here's a quick rundown of the reporting requirements:

The NYDFS Cybersecurity Regulation is a complex set of rules, but it works by imposing strict cybersecurity rules on covered organizations.

These rules require the installment of a detailed cybersecurity plan, which is a comprehensive document outlining an organization's cybersecurity strategy and procedures.

A Chief Information Security Officer (CISO) must be designated to oversee and implement the cybersecurity plan, ensuring that it is executed effectively.

A comprehensive cybersecurity policy must be enacted, outlining the organization's approach to cybersecurity and the measures in place to protect sensitive data.

Organizations must also initiate and maintain an ongoing reporting system for cybersecurity events, keeping track of any incidents or breaches that may occur.