top of page

New York State Department of Financial Services CyberSecurity Regulations


On March 1, 2017, the cybersecurity regulations of New York State's financial regulatory body, the Department of Financial Services, became effective. Both financial services companies and their law firms will have to comply with rules designed to protect costumer data. The regulations are the first of their kind in the nation. See the requirements, under Title 23 of the Codes, Rules, and Regulations of New York State, which are posted here.

The new regs require each covered entity to implement a cybersecurity program and have a written cybersecurity policy. There must be a specific incident response plan. Businesses must designate one person as their Chief Information Security Officer, who has to prepare a report to the board of directors each year, which lists material cybersecurity risks, and "material Cybersecurity Events involving the Covered Entity during the time period addressed by the report."

The cybersecurity program has to include penetration testing that is conducted annually, and have systems that provide for an audit trail for cybersecurity events, which is recorded for at least five years. Access privileges have to be implemented to control privileges for nonpublic information, and use of specific in-house applications. A risk assessment of information systems has to be performed periodically. Cybersecurity personnel have to receive continuing training in their field, and all users must receive some kind of cybersecurity training.

The policies must address the use of data by Third Party Service Providers, which include law firms. Compliance with this provision is not required until 2018.

Multi-factor authentication to required to access internal networks from external networks. There must be policies in place to dispose of nonpublic information when it is no longer necessary for a business purpose.

The regulations require that nonpublic information be encrypted in some circumstances.

When a cybersecurity event occurs, the Superintendent of the Department of Financial Services has to be notified within 72 hours.

Entities with fewer than 10 employees, or less than $5M in gross revenue, or less than $10M in assets, are exempt from some of the regulations.

Covered entities have to file a Certificate of Compliance with the Department of Financial Services by February 15, 2018.


bottom of page