CyberRisk Solutions knows exactly what needs to be done, how to do it, and provides the mandated solutions to become compliant and confident

Understanding NYDFS Cybersecurity Regulations

Look, we get it, these regulations and timelines can be confusing. So what’s most important to us is that you understand exactly whats being asked of you.

NYDFS Cybersecurity Rules

After an initial 90 day review period and subsequent revisions, the New York State Department of Financial Services (NYDFS) has formalized their best in country standards for cyber risk management as of December 28th, 2016. The new NYDFS cybersecurity regulations go into effect on March 1, 2017.

The rules impact over 2,200 financial institutions operating under a license or authorization of NY State Law.  Each company is required to assess its specific risk profile and design a program that addresses its risks in a robust fashion. The regulations are designed to ensure senior management participation via an annual certification process.  Given the timeline to meet the targets and the consequential surge in demand for cyber expertise, it is in the best interest of affected institutions to begin to prepare as soon as possible.

General Categories of the NYDFS Regulations

  • Maintaining a cybersecurity program, including the adoption of a written cybersecurity policy
  • Implementing and maintaining written policies and procedures regarding application security, data retention, and information systems and nonpublic information accessible to or held by third-party service providers
  • Periodically assessing information systems
  • Designating a qualified individual to function as Chief Information Security Officer (CISO) and the CISO’s responsibilities
  • Employing and training of cybersecurity personnel and training for all personnel
  • Technical requirements, including multi-factor authentication and encryption of nonpublic information
  • Oversight requirements including penetration testing, vulnerability assessments, risk assessments, and audit trail systems
  • Creating a written incident response plan and notification to the superintendent in the event of a cybersecurity event
  • Annual certification (the “Certification of Compliance”) by senior executives (or possibly by entire Boards of Directors) to the NYDFS Superintendent of compliance with the cybersecurity regulation


  • Entities that do not operate, maintain, utilize or control any Information System, and is not required to own, access, generate, receive or possess Non Public information will be exempt from some but not all regulations
  • Entities with less than 10 employees
  • Entities with < $5,000,000 in gross annual revenue in each of the last three fiscal years
  • Entities with < $10,000,000 in year- end total assets will be exempt from some but not all regulations

NYFDS Cybersecurity Regulations Timeline

September 1, 2017

September 1, 2017

Develop Cyber Program predicated on the entity’s Risk Assessment Implement and maintain written…

Read more

February 15, 2018

February 15, 2018

Initial Certification of Compliance submissions must be filed

Read more

March 1, 2018: (1 year after the Effective Date):

March 1, 2018

Initial CISO Report Penetration Testing and Vulnerability Assessments Risk Assessment Multi-Factor Authentication Training…

Read more

September 1, 2018 (18 months after the Effective Date)

September 1, 2018

  Audit Trail Application Security Limitations on Data Retention Monitoring of Authorized Users…

Read more

March 1, 2019

March 1, 2019

Third-Party Service Provider Security Policy

Read more

We’d Love To Help!

How We Can Help:

CyberRisk Solutions offers a number of options to help you reach the specific compliance targets for NYDFS and it’s new cybersecurity regulations, along with other regulatory bodies that are focused on raising the bar to address cybersecurity risk. Here’s what we can handle for you:

  • Development of the full Cyber Security Program
  • Be the Official CISO
  • etc….


Integrated Risk Diagram
CyberRisk Solutions Lock

Let’s Talk!

If Security, Peace of Mind, and Confidence is Your Thing… then let us do Ours!