New York State Department of Financial Services Cybersecurity Regulation

E159469

The New York State Department of Financial Services Cybersecurity Regulation is a pioneering set of cybersecurity requirements for financial institutions operating in New York, mandating robust risk-based programs, incident reporting, and governance to protect consumers and the financial system from cyber threats.

All labels observed (2)

How this entity was disambiguated

Statements (48)

Predicate Object
instanceOf New York State regulation
cybersecurity regulation
financial regulation
alsoKnownAs 23 NYCRR 500
New York State Department of Financial Services Cybersecurity Regulation
surface form: NYDFS Cybersecurity Regulation
appliesTo banks operating under New York law
financial institutions licensed by the New York State Department of Financial Services
insurance companies regulated by NYDFS
money transmitters regulated by NYDFS
virtual currency businesses licensed by NYDFS
approach risk-based cybersecurity requirements
containsExemptions limited exemptions for small covered entities
effectiveDate March 1, 2017
enforcementBy New York State Department of Financial Services
focusesOn operational resilience against cyber attacks
protection of nonpublic information
geographicScope New York but can apply extraterritorially to covered entities with New York licenses
governanceRequirement board of directors or equivalent oversight of cybersecurity program
periodic reporting by the Chief Information Security Officer to the board or senior management
incidentNotificationDeadline 72 hours from determination of a qualifying cybersecurity event
influenced other U.S. state-level cybersecurity regulations for financial institutions
jurisdiction U.S. state of New York
surface form: State of New York
legalCitation Title 23 of the New York Codes, Rules and Regulations Part 500
nonComplianceConsequences civil monetary penalties
regulatory enforcement actions by NYDFS
purpose to protect consumers from cyber threats
to protect the safety and soundness of the financial system
regulator New York State Department of Financial Services
requires access controls based on least privilege
annual certification of compliance by the board or a senior officer
audit trail systems for certain financial transactions and security events
cybersecurity awareness training for personnel
data retention and secure disposal policies
designation of a Chief Information Security Officer
encryption of nonpublic information in transit and at rest or compensating controls
incident response plan
monitoring and logging of network activity
multi-factor authentication
notification to NYDFS of certain cybersecurity events
penetration testing and vulnerability assessments
periodic cybersecurity risk assessments
periodic review and update of cybersecurity policies and procedures
policies for secure use of portable devices
risk-based cybersecurity program
secure application development practices
third-party service provider security policies
written cybersecurity policy
sector financial services

How these facts were elicited

Referenced by (2)

Full triples — surface form annotated when it differs from this entity's canonical label.

New York State Department of Financial Services issuesRegulation New York State Department of Financial Services Cybersecurity Regulation
New York State Department of Financial Services Cybersecurity Regulation alsoKnownAs New York State Department of Financial Services Cybersecurity Regulation
this entity surface form: NYDFS Cybersecurity Regulation