The New York State Department of Financial Services (NYDFS) Cybersecurity Regulation requires New York insurance companies, banks, and other regulated financial services institutions—including agencies and branches of non-US banks licensed in the state of New York—to assess their cybersecurity risk profile. The NYDFS Cybersecurity regulation is designed to protect consumers and to “ensure the safety and soundness of the institution,” as well as New York State’s financial services industry.

The regulation requires supervised entities to assess their cybersecurity risk profiles and implement a comprehensive plan that recognizes and mitigates that risk. Certain regulatory minimum standards have been set to assist organizations in preventing data breaches, including:

  • Risk-based minimum standards for information technology systems, including data protection and encryption, access controls, and penetration testing.
  • Requirements that a program is adequately funded, overseen by a chief information security officer (which can include a third-party service provider), and implemented by qualified cybersecurity personnel.
  • Effective incident response plans include preserving data in order to respond to data breaches and timely notice to the NYDFS of material events.
  • Accountability is provided by identification and documentation of deficiencies, remediation plans, and certifications of compliance on an annual basis.

Who is Covered Under the NYDFS Cybersecurity Regulation?

The NYDFS Cybersecurity Regulation applies to all entities operating under or required to operate under DFS licensure, registration, or charter, or which are otherwise DFS-regulated, as well as, by extension, unregulated third-party service providers to regulated entities. Examples of covered entities include State-chartered banks, Licensed lenders, Private bankers, Foreign banks licensed to operate in New York, Mortgage companies, Insurance companies, and Service providers.

There are limited exemptions to the NYDFS Cybersecurity Regulation. Organizations that employ less than 10 people, produce less than $5 million in gross annual revenue from New York operations in each of the past three years or hold less than $10 million in year-end total assets are exempt from certain requirements of the Regulation.

Consequences and Penalties for NYDFS Cybersecurity Regulation Violations

Under NY Banking Law, the NYDFS penalties start at $2,500 a day for each day of noncompliance with NYDFS Part 500. If noncompliance is determined to be a “pattern” by the NYDFS superintendent, the fine may increase to $15,000 a day. If the superintendent decides that any violations have been committed “knowingly and willfully,” the fine will jump to $75,000 daily.
Recent 2022 enforcement actions imposed monetary penalties in the $4.5 million to $5 million range.

How can E Com Security Solutions help with NYDFS Cybersecurity Requirements compliance?

E Com Security Solutions helps organizations comply with the NYDFS Cybersecurity Requirements by assessing risk, managing access, and protecting data at rest and in motion.