NYDFS Cybersecurity Regulation: A Functional Program

There are a lot of regulations in place for cybersecurity. One of them is the NYDFS Cybersecurity Regulation that consists of cybersecurity requirements on all covered financial institutions. What’s more to know? 

More From The Definition

NYDFS, the New York Department of Financial Services published the command on February 16th, 2017. It is a response after two rounds of feedback from the industry and the public.

Moreover, the regulation is consists of 23 sections. These sections, on the other hand, outlines the requirements for an effective cybersecurity program.

Furthermore, it requires institutions that the regulation covers to assess their cybersecurity risks. And also produce plans to proactively discuss those risks.

Who Is Covered?

  • Foreign banks licensed to operate in New York
  • Licensed lenders
  • Service providers
  • State-chartered banks
  • Mortgage companies
  • Insurance companies
  • Private bankers

However, there are a few exceptions to the regulation.

For instance, they give organizations that employ less than 10 people exemption from the regulation.

Moreover, those who produce less than $5 million in gross annual revenue from New York operations in each of the past three years are given exemption as well.

Also, those who carry less than $10 million in year-end total assets are given exemption from certain provisions of the regulation.

How Does It work?

Well, it operates by implementing severe cybersecurity practices. What kind of rules?

The rules may include details of installment on cybersecurity plans and assigning a Chief Information Security Officer. Also, rules may require the performance of a comprehensive cybersecurity policy.

Moreover, you may need to provide the initiation process or the maintenance of an ongoing reporting system. This reporting system relates to cybersecurity events.


  • You need to Identify all cybersecurity threats from internal and external sources.
  • Fulfill regulatory reporting requirements.
  • Also, there must be a system to identify cybersecurity events.
  • Then, a response to all recognized cybersecurity events.
  • Work to overcome each cybersecurity event.
  • Apply defense infrastructure to protect against cybersecurity threats.

More Requirements

These are the requirements for organizations that the NYDFS Cybersecurity Regulation covers needs:

  • You need to have well-trained personnel. This means that they meet qualifications and are cybersecurity training. As a result, they can manage cybersecurity threats moving forward.
  • Then, you also need to inform the NYDFS about all cybersecurity events that offer a “reasonable likelihood” of creating material harm.
  • Companies that the regulation covers must control and limit access privileges granted to users.

Benefits And Drawbacks

The Regulation was adopted on March 1, 2017. This comes as a response to the cyber-attacks and data breaches the financial industry has faced.

However, there will always be two sides to a coin. As a result, along with the benefits, the cons come as well.

  • The regulation has been scaled back from proposed versions, which called for the encryption of all data at rest and in transit, which many institutions argued was unnecessarily restrictive.
  • According to Sam Olyaei, senior research analyst at Gartner Research, the regulation was woefully out of date even before its enactment, though he admits it’s much better than regulation in place (or not in place) in other states.
  • Lastly, small and medium-sized companies can rely on third-party service providers. This means that they can assist businesses to meet many of the regulatory requirements.

Rate this post:

Leave a Comment

Your email address will not be published. Required fields are marked *