The New York State Department of Financial Services (NYDFS) requires financial organizations to implement specific cybersecurity assurances to their systems.

In February 2017, the NYDFS issued a new cybersecurity regulation for banks, insurance companies, and other financial institutions. 

According to the NYDFS, the regulation covers all entities operating under or required to operate under DFS licensure, registration, or charter, or which are otherwise DFS-regulated, as well as, by extension, unregulated third-party service providers to regulated entities.

Organizations That Are Required By Law To Comply: 

  • State-chartered banks
  • Licensed lenders
  • Private bankers
  • Foreign banks licensed to operate in New York
  • Service contract providers
  • Trust companies
  • Mortgage companies
  • Any insurance company doing business in New York

*Financial services firms with fewer than 10 employees, less than $5 million in gross annual revenue for three years, or less than $10 million in year-end total assets are exempt. Exemptions: (1) fewer than 10 employees, including any independent contractors, of the Covered Entity or its Affiliates located in New York or responsible for business of the Covered Entity, or (2) less than $5,000,000 in gross annual revenue in each of the last three fiscal years from New York business operations of the Covered Entity and its Affiliates, or (3) less than $10,000,000 in year-end total assets, calculated in accordance with generally accepted accounting principles, including assets of all Affiliates, shall be exempt from the requirements of sections 500.04, 500.05, 500.06, 500.08, 500.10, 500.12, 500.14, 500.15, and 500.16 of this Part.

Want to learn more? Download the factsheet (PDF)

Want to learn more? Download the factsheet (PDF)

Contact Us

Is your organization NYDFS compliant?

For answers to your questions and the latest information that ensures NYDFS regulations compliance, speak with our team of experts today.

Contact Us
Dot Accent

Cybersecurity Requirements by Law

These regulations* go beyond federal requirements in many important areas. 

  1. Implement a cybersecurity program
    • Identify and assess internal/external cybersecurity risks
    • Use defensive infrastructure
    • Implementation of policies and procedures
    • Detect cybersecurity events
    • Respond to identified or detected cybersecurity events
    • Recover from cybersecurity events
    • Restore normal operations and services
    • Written procedures, guidelines, and standards
  1. Implement and maintain a written policy or policies
  2. Appoint a CISO who must update your board (in-house or third-party)
  3. Continuous monitoring or periodic penetration testing and vulnerability assessments
  4. Notify regulators of breaches within 72 hours of incident
  5. Maintain audit trails for five years
  6. Periodic risk assessment
  7. Ensure the security of third party service providers
  8. Use multi-factor authentication or alternative access controls
  9. Training and monitoring the activity of privileged users
  10. Encryption of nonpublic information
  11. Establish an incident response plan
  12. Protect all nonpublic information
  13. Destroy nonpublic information periodically and securely
  14. Certify regulatory compliance annually  


Cybersafe Solutions provides services to ensure compliance: 

Web Inspection icon

SOL XDR: Comprehensive Continuous Security Monitoring

Learn More
Checklist icon

Security Policy Development

Learn More
Security Testing icon

Penetration Testing

Learn More
Phishing icon

SOL Training

Learn More
Shield icon

Risk Assessment

Learn More