New York State Department Financial Services Regulations

1. Introduction

The NYSDFS Cybersecurity Regulation represents one of the most comprehensive state-level cybersecurity regulations in the United States. Effective from March 2017, this pioneering regulation establishes detailed cybersecurity requirements for financial services companies operating in New York State. It has become a model for other states and influenced federal approaches to financial sector cybersecurity requirements.

The regulation takes a risk-based approach to cybersecurity, requiring covered entities to assess their specific risks and implement comprehensive programs to protect their information systems and nonpublic information. Its requirements are specific and prescriptive, providing clear guidance while allowing flexibility in implementation based on an entity’s risk assessment.

2. Scope and Application

The regulation applies to entities operating under or required to operate under New York banking, insurance, or financial services laws.

Entity TypeCoverageExamples
Covered Entities – State-licensed financial institutions
– State-registered organizations
– DFS-regulated entities 		– Banks
– Insurance companies
– Money services businesses
Limited Exemptions – Small organizations
– Low risk entities
– Limited operations 		– Fewer than 10 employees
– Less than $5M NY revenue
– No NY information systems
Third Parties – Service providers
– Vendors
– Business partners 		– IT providers
– Cloud services
– Data processors

Protected Information

CategoryTypes of InformationProtection Required
Nonpublic Information – Business information
– Financial records
– Individual details
– Healthcare data 		Comprehensive protection required
Information Systems – Electronic systems
– Networks
– Hardware
– Data storage 		Security controls and monitoring
Access Credentials – User credentials
– Access keys
– Security tokens
– System passwords 		Strict access controls required

3. Core Requirements

The regulation mandates specific cybersecurity measures and programs that covered entities must implement.

RequirementKey ComponentsImplementation Guidance
Cybersecurity Program
  • Risk assessment based
  • Written policies
  • Defense infrastructure
  • Detection systems
  • Document program elements
  • Regular testing
  • Continuous monitoring
  • Annual review
CISO Function
  • Qualified leadership
  • Regular reporting
  • Program oversight
  • Board updates
  • Appoint qualified individual
  • Bi-annual reports
  • Document activities
  • Track metrics
Access Controls
  • Identity management
  • Access limitations
  • Regular reviews
  • Periodic updates
  • Implement IAM system
  • Role-based access
  • Quarterly reviews
  • Access logging

4. Technical Requirements

The regulation specifies detailed technical controls that must be implemented to protect information systems and nonpublic information.

Control AreaRequirementsImplementation Examples
Encryption
  • In-transit protection
  • At-rest security
  • Key management
  • TLS for transmission
  • AES for storage
  • Secure key storage
Multi-Factor Authentication
  • Remote access
  • Privileged accounts
  • External networks
  • Biometric factors
  • Hardware tokens
  • Authentication apps
Penetration Testing
  • Annual testing
  • Vulnerability assessment
  • Risk monitoring
  • External testing
  • Internal scanning
  • Continuous monitoring

5. Incident Response and Reporting

The regulation requires prompt notification of cybersecurity events and maintaining incident response capabilities.

RequirementTimeframeAction Items
Incident Notification72 hours
  • Notify Superintendent
  • Initial assessment
  • Impact evaluation
Annual CertificationFebruary 15
  • Compliance confirmation
  • Program assessment
  • Documentation review
Record Retention5 years
  • Event documentation
  • Response records
  • Investigation results
Scroll to Top