NYDFS Cybersecurity Regulation

The NYDFS Cybersecurity Regulation (23 NYCRR 500) is a set of regulations from the New York State Department of Financial Services that places cybersecurity requirements on all Covered Entities (financial institutions and financial services companies). The regulation requires organizations to assess their cybersecurity risk and develop a plan to proactively address them. While there were mixed reviews about the regulations initially, the NYDFS Cybersecurity Regulation is now in full force, and violations will soon have fines imposed. Small businesses must comply with the regulations if they operate or are required to operate under DFS licensure, registration, or charter, or if they are DFS-regulated.

The NYDFS Cybersecurity Regulation has four distinct phases of implementation. The initial phase requires Covered Entities to develop a cybersecurity policy, including an incident response plan that includes data breach notifications within 72 hours. The second phase requires Chief Information Security Officers to prepare an annual report that includes the organization's cybersecurity policies and procedures, cybersecurity risks, and the effectiveness of current cybersecurity measures. Phase three requires Covered Entities to have a comprehensive cybersecurity program in place that contains aligns with the NIST Cybersecurity Framework. The final phase requires Covered Entities to finalize their vendor management policies regarding third-party vendors who are given permissions to access systems and files covered by the new regulation.

Covered Entities must comply with all practices outlined above, including appointing a CISO, doing periodic risk assessments, maintaining a cybersecurity program that aligns with the NIST Cybersecurity Framework, as well as investing in third-party vendor risk management policies. Failure to comply with the NYDFS Cybersecurity Regulation can result in fines, which have not been communicated by the New York Department of Financial Services.

Small businesses should take the NYDFS Cybersecurity Regulation seriously to avoid fines and protect their sensitive data and personally identifiable information. It is essential to understand the requirements of the regulation and take the necessary steps to implement a comprehensive cybersecurity program. Small businesses may need to invest in cybersecurity personnel and training to manage evolving cyber threats, use multi-factor authentication for all inbound connections to their network, conduct penetration testing, and complete an annual certification process.

In conclusion, small businesses must comply with the NYDFS Cybersecurity Regulation to avoid penalties and protect sensitive data and personally identifiable information. While the regulation may seem prescriptive and stringent, it is necessary to help guarantee the financial services industry upholds its obligation to protect consumers and prevent cyber-attacks. Small businesses should take proactive steps to assess their cybersecurity risk and develop a plan to address potential threats.