—What is the DFS Cyber Security Regulation?The NY DFS Cybersecurity Regulation (23 NYCRR 500) is a new set of regulations from the NY Department of Financial Services (NYDFS) that places new cybersecurity requirements on all covered financial institutions. The rules were released on February 16th, 2017 after two rounds of feedback from industry and the public. These regulations acknowledge the ever-growing threat posed to financial systems by cyber criminals, and are designed to ensure businesses effectively protect their customers’ confidential information from cyber attacks. This includes conducting regular security risk assessments, keeping audit trails of asset use, providing defensive infrastructures, maintaining policies and procedures for cyber security, and creating an incident response plan.
—Who Needs to Comply?
The NYDFS Cybersecurity Regulation applies to all Covered entities meaning “any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the financial Services Law.”
This Includes but is not limited to:
Foreign banks licensed to operate in New York
There are limited exemptions to the NYDFS Cybersecurity Regulation. Organizations that employ less than 10 people, produced less than $5 million in gross annual revenue from New York operations in each of the past three years, or hold less than $10 million in year-end total assets are exempt from certain requirements of the Regulation.