Cybersecurity Compliance
NY DFS Cybersecurity Regulations: What You Need to Know
April 29, 2024
The financial services sector is increasingly facing severe cybersecurity threats. To combat this, the New York Department of Financial Services (NY DFS) established Cybersecurity Regulation (23 NYCRR §§ 500.0 to 500.24) in 2017, putting stricter requirements in place for financial institutions regulated by the Department in New York State.
Who is Subject to the NY DFS Cybersecurity Regulations?
The NY DFS Cybersecurity Regulation applies to approximately 3,000 financial institutions operating in New York. Those subject to the regulations include insurance companies, health insurers, managed care organizations, banks, credit unions, credit rating agencies as well as financial services companies.
The regulation also covers organizations that provide third-party services, accessing non-public information (NPI) on behalf of covered organizations, or those playing a role in a covered organization’s business operations. Notably, there are specific additional obligations for Class A organizations. These include entities that earn more than $20 million gross annual revenue from New York operations and have more than 2000 employees worldwide, or those earning more than $1 billion in global annual revenue the last two years.
Understanding the NY DFS Cybersecurity Regulations
The regulation places a heavy emphasis on protecting NPI – a broad category that includes business-related information, personally identifiable information (PII), and healthcare records. Institutions are mandated to document and maintain an inventory of their systems holding NPI and implement procedures for disposing of data no longer necessary for business operations.
The requirements extend to all areas of cybersecurity, mandating companies to identify and assess internal and external threats, implement protective infrastructures, monitor for potential cyber threats, respond and recover from cybersecurity events, and report and certify their cybersecurity programs.
Notably, for Class A organizations, additional requirements include conducting independent cybersecurity audits, implementing endpoint detection and response capabilities, and instituting a centralized security event logging and alert system.
Penalties for Non-Compliance
The consequences for failing to comply with these regulations can be severe. In 2024, NY DFS Superintendent Adrienne Harris announced a fine of $8 million against Genesis Global Trading for failing to comply with DFS regulations, exposing the company to potential cybersecurity threats.
Navigating Compliance with NY DFS Cybersecurity Regulations
Building compliance with these stringent regulations might seem daunting, but the process can be broken down into the following steps:
- Developing an asset inventory of the data you hold and where it is stored.
- Deleting data that no longer serves a business purpose or is beyond its retention period.
- Implementing and operationalizing data governance policies to maintain compliance.
While the road to compliance might be challenging, solutions like Exterro Data Discovery and Data Retention can support companies to effectively navigate these obligations and build a robust cybersecurity infrastructure.
For a more detailed look at the NY DFS Cybersecurity Regulation and what steps organizations must take to comply, download our new checklist, Understanding the New York Department of Financial Services Cybersecurity Regulation.
