SchellmanCON is back! Join us for our virtual conference on March 6 & 7, 2025

Contact Us
Services
Services
Crypto and Digital Trust
Crypto and Digital Trust
Schellman Training
Schellman Training
Sustainability Services
Sustainability Services
AI Services
AI Services
About Us
About Us
Leadership Team
Leadership Team
Corporate Social Responsibility
Corporate Social Responsibility
Careers
Careers
Strategic Partnerships
Strategic Partnerships

The NYDFS Cybersecurity Regulation: A Comprehensive Guide

Cybersecurity Assessments

Back in 2017, the New York State Department of Financial Services (NYDFS) took a significant step to enhance the cybersecurity defenses of financial institutions operating in New York by introducing the NYDFS Cybersecurity Regulation. Through its set of requirements—since amended in 2023—the Regulation aims to better safeguard the sensitive information processed through these organizations which must adhere to its mandates.

As expert cybersecurity assessors, we’re familiar with a diverse multitude of standards and frameworks intended to help protect against digital threats, the NYDFS Cybersecurity being just one. We’re in the business of demystifying complex frameworks like this, and so for those entities under the NYDFS’s purview, we’re going to do just that.

In this comprehensive blog post, we’ll delve into the key requirements of the original version of this regulation, the changes made to it in 2023, and how entities must report their compliance.

 

To Whom Does the NYDFS Cybersecurity Regulation Apply?

 

The NYDFS Cybersecurity Regulation requires that covered entities (CE) establish and maintain a cybersecurity program designed to protect consumers and ensure the safety and soundness of your institution.

Already, this begs the question—“who are these referenced ‘covered entities?’”

Per the latest definition within the Regulation, a covered entity is defined as “any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law, regardless of whether the covered entity is also regulated by other government agencies.”

In other words, you could be subject to comply with these cybersecurity requirements if you’re a:

Commercial bank

Savings bank

Savings and Loan Association

Foreign bank with New York branches

Insurance company

Reinsurance company

Insurance agents

Insurance broker

Mortgage broker

Mortgage banker

Licensed lender

Money transmitter

Service contract provider

Private banker

Investment company

Trust company

Credit union

Any other entity required to operate under a license, registration, charter, certificate, permit, accreditation, or similar authorization under the New York Banking Law, the Insurance Law, or the Financial Services Law.

That being said, as part of the November 2023 amendment, the NYDFS created a new class of covered entities titled “Class A Companies” which are subjected to elevated requirements within the Regulation. Class A Companies are categorized as:

  • Having accrued at least $20 million in gross annual revenue in each of the last two fiscal years from all business operations through the state of NY, and
  • Either:
    • Have over 2,000 employees; or
    • Have over $1 billion in gross annual revenue in each of the last two fiscal years from all business operations & all affiliates, regardless of location.

What were the Original NYDFS Cybersecurity Regulation Requirements?

 

Now that we’ve established who is on the hook for the NYDFS Cybersecurity requirements, here's a breakdown of the key stipulations within the original 2017 regulation:

Section

Category

Requirements

500.2

Cybersecurity Program

Develop and maintain a cybersecurity program based on a performed risk assessment to protect the confidentiality, integrity, & availability of information systems.

500.3

Cybersecurity Policy

Implement a written cybersecurity policy or policies addressing specified areas including information security, data governance, and incident response that are reviewed on a routine cadence.

500.4

Chief Information Security Officer (CISO)

Designate a qualified individual as the CISO responsible for overseeing and implementing the cybersecurity program.

500.5

Penetration Testing and Vulnerability Assessments

Conduct regular penetration testing and vulnerability assessments to identify and mitigate potential gaps.

500.6

Audit Trail

  • Maintain systems capable of reconstructing financial transactions and audit trails to detect and respond to cybersecurity events.
  • Keep records of financial transactions for at least five years and keep records of audit trails for three years.

500.7

Access Privileges

Limit user access privileges to Information Systems that provide access to nonpublic information (NPI) and periodically review such access privileges.

500.8

Application Security

Maintain & review written procedures, guidelines, and standards on the use of secure development practices as well as procedures for evaluating, assessing, or testing the security of externally developed applications.

500.9

Risk Assessment

Conduct periodic risk assessments to identify emerging cybersecurity risks and develop additional strategies to mitigate any newly identified risks.

500.10

Cybersecurity Personnel & Intelligence

Dedicate qualified cybersecurity personnel (internal or external) to manage and oversee cybersecurity risks. Personnel should also establish learning sources to remain up to date on cyber trends.

500.11

Third-Party Service Providers

Establish policies and procedures to ensure the security of information systems and NPI accessed by third-party service providers.

500.12

Multi-Factor Authentication (MFA)

Implement multi-factor authentication for accessing internal systems or sensitive information.

500.13

Data Retention

Ensure the security of NPI through encryption, access controls, and other protective measures.

500.14

Employee Training

Provide regular cybersecurity awareness training to all employees to enhance their understanding of cybersecurity risks and best practices.

500.15

Encryption of NPI

  • Encrypt NPI in transit as well as at rest.
  • Where infeasible to implement encryption, document such and utilize compensative controls approved by the CISO or acting CISO.

500.16

Incident Response Plan

Develop an incident response plan to promptly respond to and recover from cybersecurity events.

500.17

Notices to Superintendent

  • Notify the superintendent within 72 hours of a cybersecurity event.
  • Annually submit written notice of compliance to the superintendent by April 15.

500.18

Confidentiality

Respect that NPI provided by a CE is subject to exemptions from disclosure under the Banking Law, Insurance Law, Financial Services Law, Public Officers Law, or any other applicable state or federal law.

 

What are the NYDFS Cybersecurity Regulation Requirements? (2023)

Over five years after these requirements were originally published—on November 1, 2023—the NYDFS announced what had been a long-anticipated amendment to that original cybersecurity regulation. The changes included stricter protocols and related amended guidance to help organizations further improve the safeguarding of their data against evolving cyber threats.

While we recommend reviewing the amendment in its entirety, the following table highlights key changes contained in the latest requirement language of the Regulation:

Section

Category

Amended or New Requirement Language (2023)

500.2

Cybersecurity Program

  • Extends the program to protect the CIA of information systems and NPI stored on those information systems.
  • Class A companies must undergo independent audits of their cybersecurity program

500.3

Cybersecurity Policy

  • Specifies the routine cadence shall be at least annually and that procedures shall be implemented in accordance with policies
  • Adds to the minimum topics policies should address

500.4

Cybersecurity Governance

  • Requires the naming of an independent governing body or senior official(s) to oversee the cyber risk program—the acting CISO must report on material issues to said independent official(s).

500.5

Vulnerability Management

  • Mandates:
    • Annual pen tests on your internal and external environment; and
    • Vulnerability scans at a frequency determined by your risk assessment;
    • Timely remediation of any findings.

500.6

Audit Trail

NO CHANGES

500.7

Access Privileges and Management

Decrees that you must:

  • Limit the number of privileged accounts
  • Limit elevated access to only when it’s needed
  • Perform at least the minimum of annual access reviews

* Class A companies must also block common passwords for all accounts

500.8

Application Security

  • Requires that you review related policies at least annually.

500.9

Risk Assessment

  • Mandates that risk assessments are performed annually or upon a material change in cyber risk.

500.10

Cybersecurity Personnel & Intelligence

  • Instructs that you must ensure any third party assisting you in complying with this regulation adheres to Sections 500.4 and 500.11.

500.11

Third-Party Service Providers

  • Requires that subentities and the like must all establish their own vendor policy—no exceptions.

500.12

Multi-Factor Authentication (MFA)

  • Unless you qualify for an exception, you must implement MFA for remote access into information systems, third-party apps into NPI, and all privileged accounts.

500.13

Asset Management and Data Retention

You must:

  • Include the specified content within the asset inventory
  • Review that content at a frequency that you determine

500.14

Monitoring and Training

You must:

  • Protect against malicious code, including web traffic & e-mail filtering
  • Perform social engineering at least annually to raise awareness among employees

* Class A CEs must also implement an EDR solution equipped with event alerting

500.15

Encryption of NPI

You must:

  • Review the feasibility of encryption and effectiveness of the compensating controls (performed by the CISO at least annually).

500.16

Incident Response & Business Continuity

  • Specify goals of the incident response plan, adds that the process should include root cause describing (a) why the event occurred, (b) impact, & (c) preventing reoccurrence, & that the plan should be updated as needed as well as tested at least annually.
  • Incorporates new specifications for business continuity & disaster recovery planning.

500.17

Notices to Superintendent

  • Modifies the requirement of notice to be upon determination of a cybersecurity incident rather than an event.
  • Extensive modifications of mechanisms to report to the superintendent and notices to be included.

500.18

Confidentiality

NO CHANGES

500.19

Exemptions

While there are many ways to qualify for certain exemptions, key modifications in the amendment included exemptions from sections 500.4-500.6; 500.8; 500.10; 500.14a1-2; 500.14b; & 500.15-16. for CEs with:

  • Less than 20 employees and contractors;
  • Less than $7.5million in revenue in the last three fiscal years; or
  • Less than $15million in total assets.

500.20

Enforcement

Specifies that CEs could be subject to penalty if the CE:

  • Fails to secure or prevent unauthorized access to NPI due to noncompliance with any section
  • Commits a material failure to comply with any section for any 24-hr period (i.e., CEs may be fined for each day they do not adhere to any section of the regulation)

500.21

Effective Date

The second amendment became effective November 1, 2023.

500.22

Transitional Period

The timeline for adoption with each amendment ranges from 30 days from the November 1 notice to two years—refer to the Timeline of Adherence below leveraged from NYDFS’ timeline to comply roadmap.

500.23

Severability

NO CHANGES

500.24

Exemptions from electronic filing and submission requirements

  • Outlines instructions for submitting exemptions to the superintendent.
  • Repeals Appendix B Form – Notice of Exemption

NOTE: Together with the technical revisions to the requirements, there were also numerous updates to definitions throughout the regulation (Section 500.1).

 

What are the NYDFS Cybersecurity Regulation Reporting Requirements?

NYDFS Cybersecurity Regulation Annual Reporting

In addition to implementation of the specified cybersecurity measures required by the NYDFS Cybersecurity Regulation, covered entities are also required to submit an annual certification to the Superintendent. As this document will certify your commitment to maintaining strong cybersecurity practices, it should include:

  • Form of Submission: Your statement must be submitted in the form set forth as Appendix A of the NYDFS Cybersecurity Regulation.
  • Certification of Compliance: Your statement must certify that your organization complies with all the requirements outlined in the regulation.
  • Maintenance of Records: Covered entities must maintain all records, schedules, and data supporting the certification for five years, and these documents must be available for examination by the Department.
  • Identification of Areas for Improvement: If a covered entity identifies areas, systems, or processes that require material improvement, updating, or redesign, you must document these identifications, as well as the remedial efforts you have planned and that are underway to address these areas, systems, or processes.
  • Availability for Inspection: All documentation related to areas for improvement and remedial efforts must be available for inspection by the Superintendent.

 

NYDFS Cybersecurity Regulation Event Reporting

Aside from your annual certification, CEs are also required to report any cybersecurity events to the NYDFS within 72 hours if the event has a reasonable likelihood of materially harming normal operations, and your reporting should include:

  • A description of the cybersecurity event;
  • The remedial measures taken or planned to address the event; and
  • The status of the investigation into the event.

You must also maintain records of all cybersecurity events and provide these records to the NYDFS upon request.

Should you fail to adhere to these annual certification, documentation, and event reporting requirements, you may be subject to regulatory scrutiny, significant potential penalties, and reputational damage.

 

Next Steps for Compliance with the NYDFS Cybersecurity Regulation

Though we’ve just provided a comprehensive summary of the changes to the Regulation and its requirements, we do still advise organizations to read through both the announcement and the amendment to familiarize themselves even more with the nature of this critical regulation.

And should you still have questions or concerns about the NYDFS Cybersecurity Regulation, feel free to contact us, as any of our experts at Schellman would be more than happy to discuss your concerns and the different cybersecurity assessment solutions that could help reduce your compliance friction.

About COLLIN VARNER

Collin is a Senior Manager with Schellman Compliance, LLC based in Denver, Colorado. Collin is focused primarily on specializing in IT attestation, audit, and compliance activities as they relate to numerous standards including SOC, HIPAA, CMMC, and a suite of ISO standards. Prior to joining Schellman, Collin held roles tasked with planning, organizing, and managing multiple facets of information technology and security reviews including cybersecurity assessments, risk management, internal and external audit, system implementations, and customized attestation reporting.