What is the NYDFS Cybersecurity Regulation (New York Department of Financial Services)?

The NYDFS Cybersecurity Regulation (23 NYCRR 500) comprises a new set of New York Department of Financial Services rules imposing strict digital security requirements on financial institutions, such as banks, mortgage companies and insurance firms. Additionally, NYCRR applies to unregulated third parties working with regulated companies. Under NYCRR affected organizations must implement a detailed cybersecurity plan, articulate wide-ranging policies and establish/operate a cybersecurity incident reporting system. Released in February 2017, NYCRR mandates that each institution conduct a risk assessment and implement controls for effective detection of and response to cyber events. Cybersecurity programs must address five core functions established by the NIST Cybersecurity Framework:

• Develop the organizational knowledge necessary to manage system, asset, data and capability risk
• Deploy cybersecurity infrastructure necessary to defend against these threats
• Implement technologies and processes necessary detect cybersecurity incidents
• Implement necessary incident response protocols and procedures and act to mitigate security events
• Take appropriate remediation steps to recover from security events