NYDFS CYBERSECURITY REGULATION

The NYDFS Cybersecurity Regulation (23 NYCRR 500) is a new set of regulations from the NY Department of Financial Services (NYDFS) that places cybersecurity requirements on all covered financial institutions. The rules were released on February 16th, 2017 and includes 23 sections outlining the requirements for developing and implementing an effective cybersecurity program, requiring covered institutions to assess their cybersecurity risks and develop plans to proactively address those risks. The NYDFS Cybersecurity Regulation included a phased implementation process, with four distinct phases allowing organizations time to implement more robust policies and controls.

WHO IS COVERED UNDER THE NYSDFS CYBERSECURITY REGULATION?

The NYDFS Cybersecurity Regulation applies to all entities operating under or required to operate under DFS licensure, registration, or charter, or which are otherwise DFS-regulated, as well as, by extension, unregulated third-party service providers to regulated entities. Examples of covered entities include:

• State-chartered banks
• Licensed lenders
• Private bankers
• Foreign banks licensed to operate in New York
• Mortgage companies
• Insurance companies
• Service providers

There are limited exemptions to the NYDFS Cybersecurity Regulation. Organizations that employ less than 10 people, produced less than $5 million in gross annual revenue from New York operations in each of the past three years, or hold less than $10 million in year-end total assets are exempt from certain requirements of the Regulation.