ny-imgMake no mistake this regulation is a rigorous, first-in-the-nation cybersecurity regulation that is truly ground breaking. The requirements from DFS go beyond what we’ve historically seen from regulators.

  • If you are a “Covered Entity” defined as “any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under”:
    • Banking Law
    • Insurance Law
    • Financial Services Law

You should be grateful for this regulation as it will help your business be resilient in the current Cyber threat landscape. It will not be easy, due to the prescriptive nature and comprehensiveness of the regulation which covers:

  • 02 Cybersecurity Program
  • 03 Cybersecurity Policy
  • 04 CISO
  • 05 Pen Testing & Vulnerability
  • 06 Audit
  • 07 Access Privileges
  • 08 Application Security
  • 09 Risk Assessment Assessments
  • 10 Cyber Personnel & Intelligence
  • 11 Third Party Provider Security
  • 12 Multi-factor Authentication
  • 13 Limits on Data Retention
  • 14 Training & Monitoring
  • 15 Encryption of Data
  • 16 Incident Response Plan
  • 17 Notice to Superintendent but since there is a strong emphasis

I would like to stress though the benefits will far outweigh the efforts and cost as this will help companies be better prepared for the new operating environment. An environment of risks from competitors, bad actors, emerging technology and nation states. It is the intent of NY DFS that cybersecurity programs can match the relevant risks and keep pace with technological advances.

Even the exempt entities:

  • Fewer than 10 employees, including independent contractors, or
  • Less than $5 million in revenue the last three fiscal years, or
  • Less than $10 million in year-end assets, including assets of all Affiliates.

Will still benefit as they have to demonstrate a documented approach for:

  • 02 Cybersecurity Program
  • 03 Cybersecurity Policy
  • 07 Access Privileges § 500.09 Risk Assessment
  • 11 Third Party Provider Security
  • 13 Limits on Data Retention
  • 17 Notice to Superintendent.

The initial phase of the transitional and implementation period for the regulation is currently underway, and regulated entities will have to submit their initial certification of compliance to the DFS by February 15th, 2018.


It is vital to establish a strategy for NY DFS compliance now for a couple of reasons – this is a risk based approach that will help establish your unique risks.

Also there may be some aspects that are more time consuming than expected and the regulation has very aggressive timeline.

This regulation requires each company to assess its specific risk profile and design a program that addresses its risks in a robust fashion. Senior management must take this issue seriously and be responsible for the organization’s cybersecurity program and file an annual certification confirming compliance with these regulations. A regulated entity’s cybersecurity program must ensure the safety and soundness of the institution and protect its customers.

Contact OutSecure at (203) 816-8061 to create and or validate your strategy for meeting NY DFS Cybersecurity regulation. We are making it easier for our clients to meet the regulation and get the full benefit of a risk management program that allow for their risk mitigation, transfer or acceptance.