× Search
ServicesSecurity ComplianceNYDFS


The NYDFS Cybersecurity Regulation applies to the following entities which are regulated by the Department of Financial Services:

  • State-chartered banks
  • Licensed lenders
  • Private bankers
  • Foreign banks licensed to operate in New York
  • Mortgage companies
  • Insurance companies
  • Service providers


A cybersecurity program that complies with the new NYDFS Cybersecurity Regulation will align to the NIST Cybersecurity Framework to:

  • Identify internal and external cybersecurity threats
  • Deploy infrastructure to protect against cyber threats
  • Use a system that detects, responds to, and recovers from cybersecurity events
  • Achieve requirements for regulatory reporting

The NYDFS Cybersecurity Regulation requires covered institutions to implement and monitor a documented cybersecurity policy. The policy must align itself with industry standards from ISO 27001. The policy coverages include information security, access controls, disaster recovery forecasting, systems and network security, data privacy for customers, and consistent risk assessments.

Organizations covered by the NYDFS Cybersecurity Regulation are also required to:

  • Assign a Chief Information Security Officer (CISO) to manage the cybersecurity program or use a third-party organization that offers CISO as a service
  • Inform the NYDFS about any cybersecurity events that could potentially cause material harm
  • Companies must monitor and limit access privileges given to users

The NYDFS Cybersecurity Regulation surpasses your typical industry best practices by requiring the following:

  • Organizations must enable encryption controls for sensitive data
  • Covered entities must certify their compliance with the regulations on a yearly basis
  • Multi-factor authentication must be implemented for inbound connections to the entity's network.
  • All cybersecurity incidents must be documented and reported


The NYDFS Cybersecurity Regulation is a set of regulations from the NY Department of Financial Services (NYDFS) that places cybersecurity requirements on all covered financial institutions. The rules were released on February 16th, 2017 and went into effect on August 28, 2017. The NYDFS Cybersecurity Regulation works by implementing strict cybersecurity rules on covered organizations, including the installment of a detailed cybersecurity plan, cybersecurity policies, reporting systems, and security staff. These components consist of additional requirements.

Contact RB Advisory

Terms Of UsePrivacy StatementCopyright 2019 by RB Advisory LLC
Back To Top