NYDFS Cybersecurity Regulation – Are you ready to comply?

Aug 24, 2017

August 28th marks the end of the 180 day transition period outlined by the New York Department of Financial Services (NYDFS) cyber security regulations. All firms regulated by the NYDFS are expected to:


  • Align your Cybersecurity Program to the NIST Cybersecurity Framework – this allows firms to demonstrate that their cybersecurity controls are in compliance with a framework standard
  • Establish a Cybersecurity Policy – this policy allows firms to show an organized approach to cybersecurity governance
  • Hire/appoint a Chief Information Security Officer or designate a Third party – this individual or firm manages the cybersecurity and related controls for the firm
  • Review/Assign access privileges – Firms will demonstrate proper controls for user access to data
  • Ensure that there are sufficiently trained cyber staff – Cyber staff are required to be trained professionals
  • Define a Written Incident Response Plan – firms will demonstrate readiness for cyber attacks
  • Begin reporting cyber incidents to the NYDFS within 72 hours – firms will report declared cyber incidents within the required timeframe via the NYDFS portal.

Failure to meet these deadlines which will be documented and tracked by the NYDFS, will result in fines, revoking of licenses or holding responsible the Board member or officer who will sign the annual certification. Cybersecurity is a global phenomenon and these NYDFS cyber requirements are seen as the initial push in the United States to create a revolution to hold firms in many industries accountable for protecting their customers’ data and information. Within the United States, similar regulation has come out in Colorado, and in Europe the General Data Protection Regulation will come into play in May 2018, and should be on the radar of fund managers, investment advisers, and every company that processes data related to living EU residents. Many firms have been cited for having poor controls and lack proper cybersecurity documentation. It is very essential that firms establish and maintain effective cybersecurity documentation and controls. Firms operating under the jurisdiction of NYDFS must now look beyond the August 28 deadline if they are in compliance and begin looking towards achieving similar objectives by September 27, 2017 when the next set of deadlines start. Are you ready? Download our checklist to comply with the NYDFS cybersecurity regulations.