Effective January 1, 2017, banks, financial institutions, and insurance companies in New York will be required to comply with new cybersecurity regulations. The New York cybersecurity regulations are closely aligned with the Center of Internet Safety’s 20 CIS Controls. The CIS controls are the industry standard when it comes to cybersecurity and threat prevention. New York, being the home of Wall Street and many financial services providers, took the initiative to impose cybersecurity best practices on the industry that so many Americans depend on, as the number of cybersecurity data breaches affecting business and financial service providers has been increasing. We’ve written extensively on this blog about the increase in data breaches and third-party data risks.

Key Provisions of the New York Cybersecurity Regulations

• Financial Service Providers Must Develop Cybersecurity Programs and Policies. All financial service providers that the new regulations apply to will be required to develop and implement a cybersecurity program, under Section 500.02 of the new regulations, and policy, under Section 500.03 of the new regulations, within 180 days of the regulations taking effect. The cybersecurity program is meant to ensure that the information systems of covered financial services providers is available, confidential, and resistant to attack. The cybersecurity policy is meant to provide the financial services providers with a framework on handling cybersecurity issues and risk prevention.
• Appoint a Dedicated Chief Information Officer. Financial services providers under Section 500.04 of the new regulations must appoint a dedicated Chief Information Security Officer who is tasked with overseeing and implementing the company’s cybersecurity policies and programs.
• Hire Dedicated Cybersecurity Personnel and Intelligence. Covered financial services providers must hire dedicated cybersecurity personnel tasked with managing the company’s cybersecurity programs. These dedicated employees must receive regular cybersecurity training, and must stay up to date on the ever-changing landscape of cyber security.
• Systems Will Be Subjected to Penetration Testing, Vulnerability Assessments, and Risk Assessments. Covered entities’ information systems will be subjected to regular penetration testing (at least once annually), vulnerability assessments (at least quarterly) and cybersecurity risk assessments (at least once annually).
• Implementation of Multi-Factor Authentication. Covered entities must implement systems that utilize multi-factor authentication for gaining access to secure information systems.
• Financial Services Providers Must Maintain an Audit Trail. Covered entities must develop and implement an audit trail system that tracks and maintains data that makes it possible for the company to complete a reconstruction of a breach or attack on their systems. The system must log authorized user access to the system and protect against hacking, tampering or interference with the system.
• Policies for Third Parties With Access to Covered Entities’ Systems. In situations where third parties have access to a covered entity’s information systems, the covered entity is required to develop policies that govern the third parties’ access to the system. Covered entities must hold third parties accountable for complying with the company’s cybersecurity policies.

Compliance Obligations in Depth: 23 NYCRR Part 500

The New York DFS cybersecurity regulation — 23 N.Y.C.R.R. Part 500 — is the most comprehensive state-level financial services cybersecurity regulation in the United States. Since its initial effective date in March 2017, it has been amended and expanded, most significantly through amendments adopted in November 2023. Any financial services entity subject to DFS oversight needs to understand both the original framework and the current obligations under the updated rule.

The Phased Compliance Timeline

The original regulation was implemented in phases to give covered entities time to build compliance programs:

• 180 days (September 2017): Core requirements effective, including cybersecurity program, policy, CISO designation, and periodic risk assessment.
• 1 year (March 2018): Requirements for penetration testing, audit trails, access privileges, and application security became effective.
• 18 months (September 2018): Multi-factor authentication, training, and third-party service provider security policy requirements became effective.
• 2 years (March 2019): Encryption requirements for nonpublic information in transit and at rest became effective.

The 2023 amendments created additional phased compliance timelines for the new requirements, with most provisions taking effect between April 2024 and November 2025.

Annual Certification Requirements

Section 500.17 of the regulation requires each covered entity to submit an annual certification of compliance to DFS. This certification must be signed by the covered entity’s CISO and a senior executive and must affirmatively represent that the covered entity is in compliance with all applicable requirements of Part 500. The certification requirement is not a mere formality — it creates direct accountability for senior management and exposes signatories to personal liability for false certifications.

DFS has made clear that it will scrutinize annual certifications and will investigate companies that certify compliance while maintaining known deficiencies. The enforcement actions DFS has brought to date have involved companies whose compliance certifications were filed while significant gaps in their cybersecurity programs existed.

The 72-Hour Incident Notification Requirement

Section 500.17(a) requires covered entities to notify DFS within 72 hours of determining that a cybersecurity event has occurred that is of a type that either requires notice to any government body, self-regulatory agency, or other supervisor under applicable law, or that has a reasonable likelihood of materially affecting the normal operation of the covered entity or that affects nonpublic information.

This 72-hour window is extremely tight. A covered entity that experiences a ransomware attack on a Friday morning may be required to notify DFS before Monday morning, even while its incident response team is still working to contain the attack. Covered entities need notification protocols established and tested in advance — the 72-hour clock does not pause for investigations in progress.

DFS Enforcement: Substantial Penalties Are Being Imposed

DFS has brought a series of enforcement actions that demonstrate the real financial consequences of Part 500 non-compliance:

• First American Title Insurance Company (2023): $1 million penalty for failure to remediate a known vulnerability that exposed hundreds of millions of documents containing nonpublic financial information. This was a landmark case in which DFS demonstrated that a company’s failure to follow up on its own internal risk assessment findings would be treated as a serious violation.
• OneMain Financial (2023): $4.25 million penalty for multiple violations including failure to implement multi-factor authentication for all authorized users and failure to maintain a comprehensive cybersecurity policy.
• EyeMed Vision Care (2022): $4.5 million penalty for failures that contributed to a phishing attack compromising 2.1 million individuals’ personal information, including failure to conduct penetration testing and failure to implement MFA.

Contact a Data Breach Attorney

The New York cybersecurity regulations for financial services providers are the most demanding state-level cybersecurity framework in the country, and they continue to evolve. Revision Legal consistently stays at the forefront of this change and can help your business achieve and maintain compliance. Contact the experienced data breach attorneys at Revision Legal using the form on this page or call us at 855-473-8474.