NYDFS, the New York State Department of Financial Services Cybersecurity Regulation has recently updated its cybersecurity requirements to include more rigorous compliance for companies. Among these requirements is the need to report ransomware events to the superintendent of NYDFS and notify the regulatory board when a company has paid an extortion fee, regardless of the type of cybersecurity event. In addition, it deals with requirements for larger companies, those generating a revenue of over $20 million in revenue from business operations in New York and either $1 billion in gross revenue from business operations in all states or more than 2,0000 employees.

What is NYDFS?

NYDFs, or the New York Department of Financial Services (NYDFS) Cybersecurity Regulation, is also known as 23 NYCRR 500. Its overarching goal is to protect consumers and ensure the safety of the company and New York financial institutions by requiring companies to assess their cybersecurity risk profile. Like numerous regulations, 23 NYCRR 500 is designed to protect sensitive non-public information. However, it is specifically meant for covered New York-chartered or licensed financial institutions such as credit unions, banks, insurance firms and mortgage companies, as well as the third-party service providers that they work with. The original regulation that went into effect in 2018 was scheduled to be implemented in four different phases.

Failure to comply with NYDFS can be significant.  In 2021, for example, NYDFS fined First Unum Life Insurance Company and Paul Revere Life Insurance Company for violating regulations at a sum of $1.8 million. It was found that the company failed to implement multi-factor authentication as required. Not only did it fail to implement MFA, but it falsely reported that it had.

New Dates for the Latest NYDFS Cybersecurity Regulation

When preparing to comply with NYDFS requirements, you’ll want to follow best practices. These include first determining whether or not your company qualifies as needing to meet NYDFS compliance, since smaller organizations receive exemptions from certain parts of the regulation. You’ll also need to gather or hire a compliance team, because it is the team that executes the cybersecurity plan and process required in the regulation. The CISO oversees the work of the compliance team. Finally, all companies should have an understanding of their cybersecurity risk profile so that it can address risks proactively.

The most recent version of the NYDFS requirements were finalized in November 2023 and set to go into effect in different stages.

  • December 1, 2023. Companies are required to notify customers of cybersecurity events and conduct annual compliance certification.
  • April 29, 2024. Companies must meet compliance. 
  • November 1, 2024. Companies must meet requirements for incident response planning, business continuity and disaster recovery (BCDR), governance, encryption and size-based exemption. 
  • May 1, 2025. Companies must meet requirements for vulnerability scanning, password controls, and enhanced monitoring controls for larger companies (known as “Class A” companies). 
  • November 1, 2025. Both inventory and multi-factor requirements come into effect.

10 Facts You Should Know About NYDFS

NYDFS requirements are known to be quite rigorous, and they are backed by an aggressive regulator. In fact, DFS recently charged the First American Title Insurance Company with failing to adhere to its cybersecurity regulation, marking the first time that 23 NYCRR 500 was enforced. Undoubtedly, there will be more such enforcement actions in the future.

What do you need to know about NYDFS cybersecurity regulation? Here are ten notable facts:

1. It Doesn’t Just Apply to New Yorkers.

While NYDFS cybersecurity regulation is specifically meant for the financial institutions that are regulated by the New York Department of Financial Services, such organizations don’t necessarily have to be located in the Big Apple to be required to comply. Rather, NYDFS applies to organizations that do financial business in New York, even if they are located elsewhere. For example, the cryptocurrency trading platform eToro recently received a BitLicense to trade with New York residents from NYDFS.  It also extends to financial institutions’ third parties – no matter where they are.

2. It Has Specific Cybersecurity Assessment Requirements.

Unlike some regulations, NYDFS stipulates very particular security processes that must be put in place. These include, for example, performing annual penetration testing, bi-annual vulnerability assessments and periodic risk assessments. These requirements are designed to ensure that businesses regularly check for cyber issues that may surface as business operations change.

3. It Requires the Appointment of a CISO.

NYDFS cybersecurity regulation requires organizations to appoint a chief information security officer who is tasked with implementing and enforcing cybersecurity. The CISO is responsible for submitting a written report at least annually to the organization’s board of directors, governing body or senior officer about the organization’s cybersecurity program and risks. He or she should consider the integrity and security of the organization’s information systems, its cybersecurity policies and procedures, cyber risk, program effectiveness and any cyber events experienced. As of November of last year, the CISO is also responsible for reporting significant cybersecurity events and changes in the company’s cybersecurity policies to the senior governing body of the company.

4. It Demands Limited Retention of Non-public Information.

Compared to most privacy laws, NYDFS cybersecurity regulation has simpler requirements regarding the storage and processing of personal information. It does specify that non-public information (such as PII) should not be retained unless needed for legitimate business purposes, or when such data is required by laws or regulations.

5. It Mandates a Third-Party Service Provider Policy.

To prevent cyberattacks through third parties, NYDFS requires organizations to implement written policies and procedures that ensure that data shared with third-party service providers remains secure. Specifically, there must be guidelines in place for third parties, including the use of multi-factor authentication, encryption and cyber event notifications.  Smaller organizations, however, may be able to meet compliance through their third-party providers.

6. It Covers a Wide Range of Cyber Events.

NYDFS aims to prevent any attempts to misuse or unlawfully access systems, including, for example, ransomware and denial of service attacks. This goal extends beyond just preventing data breaches, and requires organizations to carefully examine cybersecurity processes and procedures such as employee access.

Like many privacy regulations, NYDFS demands notice to the regulator (known as the “Superintendent”) of cyber events no later than 72 hours after the “determination” that there has in fact been such an occurrence. Penalties for failing to do so are high.

7. It Demands Serious Cyber Training.

Cybersecurity training is critical to a robust security process, but the amount required by NYDFS cybersecurity regulation is notable: Not only are companies required to train their employees about addressing cybersecurity risk; they also must ensure that their cybersecurity professionals remain current with cyber trends. Such training is key to reducing employee attack likelihood. The latest requirements demand that employees be trained on business continuity and disaster and recovery plans annually.

8. It Has Different Requirements for Companies Depending on their Revenue.

The regulation considers companies making under $5 million in revenue from New York operations over the last three years, who have a staff of less than 10 or have less than $10 million in total-year assets are exempt from specific requirements of NYDFS. In the latest update of the regulation, organizations with revenue of over $20 million in revenue from business operations in New York and either $1 billion in gross revenue from business operations in all states or more than 2,0000 employees are subject to specific requirements  (e.g., class “A” companies). These include independent audits of their cybersecurity programs, implementing a privileged access management solution and endpoint detection and response solution and automatically block common passwords for information system accounts. If the organization cannot block common passwords, the CISO must explain why it is not possible in writing and provide alternative solutions.

9. Its Requirements Include Third-Party Security.

The regulation also requires companies to have a policy in place for third parties that may need access to sensitive information and their network. This third-party security policy should also include a method for evaluating the effectiveness of this policy, periodic assessments of these third-party policies and controls and risk assessments of these third parties. The financial institution must also document the exact security requirements the third party must meet for them to engage in a business relationship.

10. It Doesn’t Tell You Exactly How to Achieve Security.

NYDFS is meant to offer structure and guidance to companies within the financial structure by having specific requirements such as annual penetration testing and two-factor authentication. However, it leaves the details up to the security teams of each company. As cybersecurity practices evolve, risks become more complex and sophisticated, and a company’s infrastructure endures changes, no cybersecurity requirements exist that can guarantee a company’s security.

How Panorays Helps Manage Third-Party Risks

Requirements such as NYDFS are constantly changing, and companies must be ready to meet changing demands for compliance at a moment’s notice. Panorays delivers a contextual approach to third-party cyber risk that reflects the evolving business context. It delivers a risk score your business can trust. At the same time, it minimizes dependence on communication with your third parties while offering a customized, scalable TPRM program that expedites the vendor onboarding process.

Its platform capabilities include:

  • Supply Chain Discovery and Mapping. Many businesses aren’t even aware of the number of third parties integrated into their IT infrastructure, let alone the criticality of those services. Automatically discover unknown third through n-th parties, profiling each vendor for the level of criticality and risk they pose to your organization. Closely monitor them for any threats. 
  • Risk DNA. Customized context-based risk ratings based on a combination of internal and external risk assessments, real-time threat intelligence and your organization’s KRIs and KPIs. It is the only cyber risk rating that takes into consideration the evolving nature of third-party relationships, their risk appetite and internal cybersecurity policies. 
  • Continuous Threat Detection. Get alerts of breaches and cybersecurity incidents across your third-party’s extended attack surface with a contextualized view of your supply chain. 
  • Remediation and Collaboration. Get comprehensive collaborative capabilities with third parties with step-by-step remediation plans prioritized according to the level of risk. Simply set the security goal with each supplier and generate an aggregated remediation plan covering gaps in both external attack surfaces and cybersecurity questionnaires.