What is New York DFS Cybersecurity Regulation?

New York State Department of Financial Services Cybersecurity Regulation: This regulation is for New York State’s banks, trusts, credit unions, insurance agents, brokers, mortgage, investment and holding companies. If you are anyone of these organizations, you must comply with this new regulation. Make sure you get legal counsel to check whether or not you need to comply.

As just a very broad overview, if you are a large financial services firm here in the New York State, then you have to comply with both the sides of the list above. If you are a smaller firm, you might just have to comply with the list of controls on the left-hand side of the list. This limited exemption applies to you only if you have less than 10 employees or less than $5 Millions in Gross Annual Revenue or less than $10 Million in year-end total assets. If either of them applies to you then you are a limited exemption organization and you only have to comply with the items on the left. If none of those apply to you then there is a total of 14 policies that you have to comply with. Just like HIPAA, the main component of this law is Risk Assessment. Well, you wouldn’t want to spend your money on shiny technical controls like Firewalls and DLPs for no reason, so it’s important that you do a risk assessment to understand what the risks to your organization are and then you can figure out how to deal with them and using what controls and policies. Risk assessment is one of the first things that you have to do. 

One thing to note here is that no other regulation has Multi-Factor Authentication as a rule. 23 NYC RR 500 specifically asks you to put multi-factor access controls. This will roll over to other regulations like HIPAA and PCI DSS in future. Also, you don’t physically have to be located in New York state to comply with this regulation. If you are licensed to do business with banking, insurance or financial services in New York state, you have to comply. This regulation is asking you to know your risk and then have a plan to reduce it. Another thing to note here is that DFS doesn’t specify a tool for continuous monitoring. Well, NY DFS doesn’t answer the how part in this regulation. It doesn’t tell you how to implement these requirements. And yeah, at the end of the day, a senior officer at the company has to sign the certification which has to be sent to NY DFS superintendent.

Another way to look at this regulation is through the fundamental principles of cybersecurity- People, Process, and Technology (PPT):

All these sections should be in line with the NIST Cybersecurity Framework. So all these sections break out to Identify, Protect, Detect, Respond and Recover. 

Reference: New NYDFS Cybersecurity regulation