The NYDFS Cybersecurity regulation is relevant to all financial services, banking, and insurance organizations doing business in the state of New York that have 10 employees or more than $5 million in revenue.

If your organization falls into that category you should be aware of the NYDFS Cybersecurity Regulation phased implementation schedule. Each of these due dates define a specific set of milestones the organization should meet to be deemed compliant.

Key Due Dates

September 1, 2017, March 1, 2018, September 1, 2018, and March 1, 2019

Requirements of Note

In addition to the phased implementation schedule, the NYDFS Cybersecurity Regulation has a number of specific requirements organizations should be aware.

Section 500.09 Requires a cybersecurity risk assessment that will drive overall program implementation
Section 500.05Requires that a CISO report directly to the board (this can be a third party)
Section 500.02Requires implementation a security program including required policies and procedures
Section 500.16Requires an cybersecurity incident response plan
Section 500.17 Requires notices and submission to the superintendent
Section 500.XX Other various technical requirements such as encryption, Two-Factor Authentication (2FA), Security Monitoring/Penetration Testing, Security Training, Data Retention

If you would like more information on the NYDFS Cybersecurity Regulation implementation schedule and a breakdown of the entire regulation you can download our whitepaper below. The whitepaper includes a easy-to-read implementation roadmap and summary of each requirement outlined in the seventeen articles withing the regulation.

Download the Whitepaper

New York Cybersecurity Whitepaper Page