Since its announcement, this set of requirements has undergone a few changes, and its legal language can be unclear. What is the NYDFS cybersecurity regulation, and how does it impact you? Let’s take a closer look.

What Is NYDFS’s Cybersecurity Regulation?

The NYDFS cybersecurity regulation lists security requirements for financial services in New York. Like Europe’s General Data Protection Regulation (GDPR), these rules aim to protect citizens’ data by holding companies to a specific standard. In this case, these standards come mostly from the NIST Cybersecurity Framework.

Under these regulations, New York financial companies have to:

Periodically review their IT systems’ security and data privacy. Record cybersecurity events and keep these records for five years. Have policies and procedures for safely deleting personal information they no longer need. Limit access to Personally Identifiable Information (PII) and regularly review these privileges. Have a detailed written plan about discovering, responding to, and recovering from cybersecurity incidents. Notify NYDFS within 72 hours of a cybersecurity event.

Unlike some similar laws, the NYDFS cybersecurity regulation includes detailed directions about what these security and reporting plans should consist of. It also requires companies to ensure their third parties are secure, not just that their internal operations are.

These requirements make this regulation one of the broadest and strictest of any state. Businesses that violate them could face hefty fines, but the full extent of the penalties is still unclear.

Who Does the NYDFS Cybersecurity Regulation Apply To?

The NYDFS cybersecurity regulation applies to any person or entity that needs a license from the NYDFS. That covers financial and insurance companies in New York, including:

Banks. Credit unions. Investment companies. Licensed lenders. Mortgage brokers. Insurance providers. Savings and loan associations.

These covered entities include local businesses and foreign companies licensed to work in New York. For example, even though Deutsche Bank is a German company, it has to comply with 23 NYCRR Part 500 since it operates in New York City.

There are a few exceptions to this list. Companies with fewer than 10 employees, less than $5 million in annual revenue from New York in the last three years, or less than $10 million in total year-end assets are exempt. So are businesses that don’t store or process private information, but that’s unlikely for a financial services company.

What Does the Cybersecurity Regulation Mean for You?

If you live or bank in the state of New York, your institution probably falls under these regulations. Even if you don’t, the NYDFS cybersecurity regulation could still apply to your bank. If it has a branch operating in the state and meets the financial requirements, it’ll have to comply.

As a customer of the bank, you don’t have to take any steps under these requirements. You may see some changes in how your financial institution or insurer operates, though. You may have to use additional security steps like multifactor authentication (MFA) or adjust your permissions as these companies improve their cybersecurity measures.

The NIST Cybersecurity Framework, which inspired these rules, includes timely information sharing, which may affect you. If there’s an incident at your bank or insurer, they may have to notify you. You likely won’t have to do anything in response, but you can expect to receive these types of messages.

Even if you don’t have any legal obligation under 23 NYCRR Part 500, it’s best to be careful with your financial information. Always use unique, strong passwords, enable MFA when possible, and never give PII away to an unknown source. The strictness of these regulations highlights how important these issues are, so practice caution.

Governments Are Taking Cybersecurity More Seriously

The NYDFS cybersecurity regulation is one of many recent examples of local governments issuing cybersecurity laws. As digital tools become increasingly common in everyday life, these rules will only grow.

Consumers and businesses alike should stay up to date about these regulations to make sure they’re compliant. These changes may seem to complicate things at first, but they’re a necessary step toward better security.