Home » Your Cybersecurity Program Under NYDFS Rules

Your Cybersecurity Program Under NYDFS Rules

Is Your Cybersecurity Program 2025 Ready?

Key Takeaways

  • Broad Applicability: The NYDFS Cybersecurity Regulation applies to any organization, regardless of physical location, that provides financial, insurance, credit, or payment services to New York residents, which means many companies may be subject to it without realizing it.
  • Tiered Compliance Requirements: All covered entities must meet baseline cybersecurity controls, while Class A companies face enhanced requirements such as Privileged Access Management (PAM) and Endpoint Detection and Response (EDR); even small or exempt entities must protect nonpublic information (NPI) and file exemption notices.
  • Urgent Deadlines and Strict Enforcement: Final control implementation is due by November 1, 2025, with strict obligations like 72-hour incident reporting and annual compliance certifications; noncompliance can result in penalties determined by the NYDFS Superintendent.

Understanding the New Additions to the NYDFS Regulations

Your organization might be subject to the New York Cybersecurity Regulation without even realizing it. The New York Department of Financial Services (NYDFS) Cybersecurity Regulation, first enacted in 2017, applies not only to entities based in New York but also to any organization that processes payments or provides insurance, credit, or financial services to New York residents, regardless of where the organization is located. First enacted in 2017, these pioneering rules positioned New York as a leader in mandating cybersecurity compliance for financial institutions like banks, credit unions, and Health Management Organizations (HMOs). To keep pace with the changing cyber threat landscape, amendments to the DFS Cybersecurity regulations were enacted in 2023. Implementation for the final set of controls is soon approaching and due by November 1, 2025.

Am I Required to Establish Controls Addressing These Requirements?

The NYDFS Cybersecurity Regulation mandates that covered entities, including small businesses and Class A companies, implement specific cybersecurity compliance controls. A covered entity is any person or organization operating under New York’s Banking, Insurance, and Financial Services Law, such as banks, credit unions, insurance companies, and Health Maintenance Organizations (HMOs). This includes organizations that are not physically located in New York but still conduct business with the state or its residents. According to Section 500.1(g), Class A companies — those with at least $20 million in gross annual revenue for the last two fiscal years and either over 2,000 employees or $1 billion in gross annual revenue from all operations — must implement a suite of baseline controls plus a list of enhanced controls. Even exempt entities must protect nonpublic information (NPI).

The NYDFS Cybersecurity Regulation defines small businesses as companies with fewer than 20 employees, less than $7.5 million in gross annual revenue for each of the last three fiscal years, or less than $15 million in total year-end assets. These small businesses may qualify for limited exemptions but must electronically file a Notice of Exemption on the NYDFS website within 30 days of determining eligibility. Exempt entities must still implement baseline protections for nonpublic information (NPI), such as encryption and access controls.

Does the category of organization affect what requirements I am subject to implementing?

Yes, depending on the type of organization, there are different sets of requirements. For example, one of the baseline requirements is that access controls are implemented. While annual risk-based access control reviews and Multifactor Authentication implementation are required for all three classifications of organization, Class A organizations must also implement automated password blocking and Privileged Access Management (PAM) (Title 23, Part 500.2 through 500.18).

Despite the enhancements for Class companies, all covered entities must comply with baseline requirements under the NYDFS Cybersecurity Regulation to ensure cybersecurity compliance. These include:

  • Appointing a Chief Information Security Officer (CISO) to oversee the cybersecurity program.
  • Developing incident response and notification plans, including 72-hour reporting for significant incidents.
  • Maintaining asset inventories to track systems and data.
  • Conducting regular cybersecurity training for employees.
  • Implementing third-party vendor oversight to ensure secure partnerships.
  • Using encryption to protect nonpublic information (NPI).
  • Performing vulnerability management to address security gaps.
  • Submit an annual compliance certification to NYDFS.
  • Retaining cybersecurity records for three years.

Requirements vary by organization type, with Class A companies facing additional controls like endpoint detection and response (EDR). For full details, review the New York Code of Rules and Regulations Title 23, Part 500 or visit the NYDFS Cybersecurity Resource Center.

What do the requirements for the various categories of organizations have in common?

They all require that organizations maintain a cybersecurity program to protect the confidentiality, integrity, and availability of nonpublic information (NPI). Despite the size and classification of your organization, this cybersecurity program must identify both internal and external cybersecurity risks through periodic risk assessments. The results of these risk assessments must be formally documented and actively used to update the organization’s cybersecurity program and policies. It should be noted that these risk assessments should also be conducted in accordance with the organization’s policies and procedures.

So, cybersecurity policies and procedures must explicitly call out the requirement for risk assessments. Are policies and procedures required for other areas of the cybersecurity program?

Yes, under 23 NYCRR 500.2, all covered entities must maintain a cybersecurity program with documented policies and procedures, including explicit requirements for periodic cybersecurity risk assessments. Other areas that require documented policies and procedures include, but are not limited to, data retention, remote access controls, security awareness training, incident notification and vulnerability management.

Another critical requirement under 23 NYCRR 500.17 mandates that covered entities notify the Superintendent of Financial Services within 72 hours of determining a cybersecurity incident has occurred, whether internally or through affiliates and third-party providers. The 2023 NYDFS amendments also require reporting ransomware payments within 24 hours. Cybersecurity incidents are defined as events that impact, have a reasonable likelihood of harming, or materially disrupt normal operations, or involve ransomware deployment within information systems.

When must my organization implement the NYDFS required controls?

The original regulation took effect on March 1, 2017, with additional implementation deadlines added through amendments. Additional requirements were mandated by December 1, 2023, and the final set of controls, including multi-factor authentication (MFA) and asset inventory, must be implemented by November 1, 2025. For detailed information on specific control deadlines, we recommend you visit the NYDFS Cybersecurity Resource Center.

Penalties for noncompliance with the law are decided upon by the Superintendent of Financial Services, appointed by the Governor of New York. Key factors that will be considered include, but are not limited to, cooperation with the superintendent, good faith of the entity, history of prior violations, extent of harm to consumers, and if the violation was a failure to respond to previously examined matters.

While this article has covered some of the information regarding the current and upcoming NYDFS rule changes, there are many other detailed requirements, such as the requirement to submit a notice of compliance annually to the superintendent. Please visit the New York Code of Rules and Regulations Title 23, Part 500, and review sections 500.00 through 500.24 for detailed requirements.

Close Cybersecurity Gaps with LBMC Risk Assessments

Ready to evaluate your cybersecurity program to identify potential gaps? Consult a cybersecurity expert who can assess your security posture and shore up your program. This includes assistance in fulfilling the explicit requirement to conduct a documented risk assessment for your organization and developing mandated policies and procedures. Maintaining compliance is not just a best practice; it’s a requirement that contributes to keeping your business secure and ready in the face of auditors.

Content provided by Van Steel, Shareholder, and Anthony Lynch, Senior Security Consultant, LBMC Cybersecurity. Contact them at van.steel@lbmc.com and anthony.lynch@lbmc.com.

Scroll to Top
LBMC
Privacy Overview

This website uses cookies so that we can provide you with the best user experience possible. Cookie information is stored in your browser and performs functions such as recognising you when you return to our website and helping our team to understand which sections of the website you find most interesting and useful.