The NYDFS Cybersecurity Regulation requires New York insurance companies, banks, and other regulated financial services institutions—including agencies and branches of non-US banks licensed in the state of New York—to assess their cybersecurity risk profile. The NYDFS Cybersecurity regulation is designed to protect consumers and to “ensure the safety and soundness of the institution,” as well as New York State’s financial services industry.
The regulation went into effect on March 1, 2017, with implementation to occur within 180 days (August 28, 2017); it affects entities regulated by the New York Department of Financial Services (DFS). Covered entities must also implement and maintain a comprehensive cybersecurity program in accordance with a specific compliance timeline.
The NYDFS issued the final Cybersecurity Regulation (23 NYCRR Part 500) in response to the growing sophistication of cybercriminals and the increasingly volatile cybersecurity climate facing US financial institutions. The goal of the regulation is to ensure the safeguarding of sensitive customer data and to promote the integrity of the information technology systems of regulated entities.
The regulation requires supervised entities to assess their cybersecurity risk profiles and implement a comprehensive plan that recognizes and mitigates that risk. Certain regulatory minimum standards have been set to assist organizations in preventing data breaches, including:
You might already be familiar with the original regulation rules that were proposed, but it’s important to note that the final regulation includes some important changes, including:
The NYDFS Cybersecurity Regulation covers any organization that is regulated by the Department of Financial Services. This includes:
The regulation provides an exemption for organizations with:
The clock started ticking when the NYDFS Cybersecurity Regulation 23 NYCRR Part 500 took effect on March 1, 2017. There are multiple milestones and deadlines to hit in the first year alone, and organizations looking to become compliant will need to pay close attention to the calendar.
Covered Entities are required to be in compliance with certain parts of the regulation as soon as August 28, 2017, and must file their first Certification of Compliance with the NYDFS superintendent’s office by February 15, 2018.
Important steps in achieving compliance are outlined according to the deadlines below. Note: this is just a partial list—a complete list with additional sections and deadlines can be found here.
March 1, 2017 – Effective date of final 23 NYCRR Part 500. August 28, 2017 – 180-day mark: Regulated entities must be in compliance with 23 NYCRR Part 500 unless otherwise noted.
To achieve and maintain compliance, by this date a Covered Entity must:
February 15, 2018 – Covered Entities must submit their first Certification of Compliance under 23 NYCRR 500.17(b) on or before this date. March 1, 2018 – One-year mark. To maintain compliance, by this date organizations must:
September 3, 2018 – 1.5-year mark. By this date, Covered Entities must prove they’ve:
Achieving and maintaining cybersecurity compliance is a complex process, but it doesn’t have to be a difficult or stressful one. There are resources available to help you take a proactive, data-driven approach to comprehensive cybersecurity that can help bring your organization into full compliance to protect your business’s valuable data and safeguard your customer’s sensitive information.