tCell by Rapid7
Managed Detection & Response (MDR)
Managed Vulnerability Management
Managed Application Security
Incident Response Services
Penetration Testing Services
IoT Security Services
Training & Certification
Find a Partner
Rapid7 Insight is your home for SecOps, equipping you with the visibility, analytics, and automation you need to unite your teams and amplify efficiency.
Insight Cloud Overview Try Now
User Behavior Analytics & SIEM
Dynamic Application Security Testing
Orchestration & Automation
Application Security On-Premise
Application Monitoring & Protection
Need a hand with your security program? From planning and strategy to full service support, our experts have you covered.
Need immediate help with a breach?
The NYDFS Cybersecurity Regulation requires New York insurance companies, banks, and other regulated financial services institutions—including agencies and branches of non-US banks licensed in the state of New York—to assess their cybersecurity risk profile. The NYDFS Cybersecurity regulation is designed to protect consumers and to “ensure the safety and soundness of the institution,” as well as New York State’s financial services industry.
The regulation went into effect on March 1, 2017, with implementation to occur within 180 days (August 28, 2017); it affects entities regulated by the New York Department of Financial Services (DFS). Covered entities must also implement and maintain a comprehensive cybersecurity program in accordance with a specific compliance timeline.
The NYDFS issued the final Cybersecurity Regulation (23 NYCRR Part 500) in response to the growing sophistication of cybercriminals and the increasingly volatile cybersecurity climate facing US financial institutions. The goal of the regulation is to ensure the safeguarding of sensitive customer data and to promote the integrity of the information technology systems of regulated entities.
The regulation requires supervised entities to assess their cybersecurity risk profiles and implement a comprehensive plan that recognizes and mitigates that risk. Certain regulatory minimum standards have been set to assist organizations in preventing data breaches, including:
You might already be familiar with the original regulation rules that were proposed, but it’s important to note that the final regulation includes some important changes, including:
The NYDFS Cybersecurity Regulation covers any organization that is regulated by the Department of Financial Services. This includes:
The regulation provides an exemption for organizations with:
The clock started ticking when the NYDFS Cybersecurity Regulation 23 NYCRR Part 500 took effect on March 1, 2017. There are multiple milestones and deadlines to hit in the first year alone, and organizations looking to become compliant will need to pay close attention to the calendar.
Covered Entities are required to be in compliance with certain parts of the regulation as soon as August 28, 2017, and must file their first Certification of Compliance with the NYDFS superintendent’s office by February 15, 2018.
Important steps in achieving compliance are outlined according to the deadlines below. Note: this is just a partial list—a complete list with additional sections and deadlines can be found here.
March 1, 2017 – Effective date of final 23 NYCRR Part 500. August 28, 2017 – 180-day mark: Regulated entities must be in compliance with 23 NYCRR Part 500 unless otherwise noted.
To achieve and maintain compliance, by this date a Covered Entity must:
February 15, 2018 – Covered Entities must submit their first Certification of Compliance under 23 NYCRR 500.17(b) on or before this date. March 1, 2018 – One-year mark. To maintain compliance, by this date organizations must:
September 3, 2018 – 1.5-year mark. By this date, Covered Entities must prove they’ve:
Achieving and maintaining cybersecurity compliance is a complex process, but it doesn’t have to be a difficult or stressful one. There are resources available to help you take a proactive, data-driven approach to comprehensive cybersecurity that can help bring your organization into full compliance to protect your business’s valuable data and safeguard your customer’s sensitive information.
In this week's Whiteboard Wednesday, Jay Radcliffe, senior security consultant at Rapid7, discusses what the NYDFS cybersecurity regulations are, what it means to be compliant, and who is and is not affected.