Inside NYS DFS: Breaking Down Cybersecurity Regulation and Compliance Requirements

A Simple Overview of DFS Regulation

NYS DFS regulation requires organizations to understand their cyber risk, put reasonable safeguards in place like frameworks or policies, assign accountability, and be prepared to respond if a cyberthreat appears.

It applies to organizations that are regulated by NYS DFS under the New York Banking Law, Insurance Law, or Financial Services Law.

This is a requirement, not optional guidance. It is an enforceable regulation, and organizations can face consequences if they fail to meet the requirements.

Why NYS DFS Cybersecurity Regulation Exists

Financial organizations are prime targets for cyberattacks because of the importance of their data and inconsistent security approaches raise risk of a breach.

DFS regulation exists to ensure organizations know their risks, put protections in place to proactively prevent risks, monitor for threats, respond quickly, and take accountability.

What Organizations Need to Do to Comply with DFS Regulation

1. Have a Formal Cybersecurity Program

You need a documented cybersecurity program that explains how your organization protects its systems, information, and operations. This is the baseline to proving you are taking action against threats.

2. Perform and Maintain a Risk Assessment

You need a written risk assessment. Review it regularly and update it at least once a year. Also, revisit it whenever your organization's cyber risks change significantly.

3. Conduct Annual Penetration Testing

Organizations need a regular process for managing vulnerabilities. This should include ongoing testing and reviews of systems. At a minimum, this includes penetration testing at least once a year from both inside and outside the environment, based on the organization’s risk.

4. Implement Baseline Security Controls

Organizations need basic security controls, like Zero Trust to help protect sensitive information. This looks like:

• Multi-factor authentication
• Appropriate access controls
• Endpoint protection
• Monitoring

5. Monitor, Detect, and Respond

You need the ability to detect suspicious activity, respond to incidents, and recover business operations if a cybersecurity event occurs.

6. Report Cybersecurity Incidents

If a cyber attack does take place they must be reported to NYS DFS within 72 hours. In some cases, extortion payments also have to be reported within 24 hours, with follow-up details provided later.

7. Manage Third-Party Risk

You need to evaluate vendor risk and keep an eye on third parties that access your systems, information, or essential services.

8. Train Your Employees

Without awareness, security threats are much more likely to exist. Employees need regular cybersecurity awareness training so they can recognize threats such as phishing, social engineering, and unsafe behavior.

9. Be Able to Prove It

It is not enough to say controls are in place. You need documentation and evidence that show how your organization is meeting the requirements that apply to it.

10. Leadership Accountability

Leadership is expected to be involved. Each year, the organization must submit a filing signed by a member of leadership. This filing either confirms compliance or notes areas that still need work. Beyond this requirement, leadership should be heavily involved in ensuring there is a tested plan in place for responding to a security breach. Responsibility cannot and should not fall solely on IT.

Required DFS cybersecurity Regulation​ Policies

The regulation also requires written cybersecurity policies and procedures. In plain terms, that means leadership should expect documented rules for how the organization protects systems, data, access, vendors, operations, and incident response.

• Information Security Policy
• Data Governance and Classification
• Asset Inventory and Device Management
• Access Controls and Identity Management
• Business Continuity and Disaster Recovery (BCDR)
• Systems Operations and Availability
• Network Security
• System and Application Development / Change Management
• Risk Assessment
• Incident Response
• Vendor and Third-Party Management
• Customer Data Privacy
• Cybersecurity Personnel and Intelligence
• Monitoring and Logging

What Changed in the 2023 DFS Updates

The 2023 updates raised the bar.

They focus more on:

• Leadership oversight
• Stronger technical controls
• Better visibility into assets and activities
• Formal recovery planning
• Clearer compliance reporting

Larger organizations classified as Class A companies have additional obligations.

In Short,

If your organization is covered by NYS DFS, you need more than good intentions.

You need a strong cybersecurity program. This includes:

• Documented policies
• Leadership involvement
• Ongoing testing and monitoring
• Proof that the program is effective

These elements work together to ensure DFS security regulations are compliant.

Do Vendors Need to Comply with NYS DFS Cybersecurity Regulations?

Even if your business is not directly regulated by the New York State Department of Financial Services (NYS DFS), you may still feel its impact.

Companies under DFS regulations, like insurance carriers, banks, and financial institutions, are raising their cybersecurity expectations for their vendors.

Why Vendors Are Being Asked for Cybersecurity Compliance

If you’re a vendor such as a law firm, marketing agency, or technology provider you may encounter requests like:

• “Can you show your cybersecurity policies?”
• “Do you follow any frameworks like NYS DFS or NIST?”
• “Can you demonstrate how you protect client data?”

For example: A law firm onboarding a major insurance company may be asked to provide proof that it follows secure data handling practices. The firm isn't legally bound by NYS DFS, but the client must manage third-party risk. That includes your business.

What Clients Really Mean by “DFS Compliance” for their Vendors

In most cases, your client is not expecting you to be fully DFS-compliant.

Instead, they want to see that you have:

• A structured cybersecurity program
• Reasonable safeguards in place
• Documented policies and procedures
• Ongoing risk management practices

Cybersecurity Frameworks That Support DFS Compliance Expectations

If NYS DFS doesn’t apply directly, vendors often align with more flexible frameworks, such as:

• NIST Cybersecurity Framework (CSF) – A widely used guideline for managing cybersecurity risk
• SOC 2 – Demonstrates strong data security controls (common for service providers)

These frameworks can help you meet client expectations without needing to adopt DFS in full.

What to Do If a Client Asks About DFS or Compliance

If you get requests about cybersecurity or compliance, don’t ignore them. They are becoming common, and you’ll likely face similar questions later.

Here’s how to approach it:

• Assess what you currently have in place; even informal processes can be a starting point.
• Identify gaps like missing documentation, policies, or controls.
• Choose a framework to align with to give you structure and credibility.
• Work with a managed compliance partner if needed. Many organizations choose outside experts to help them:
  • Build a program
  • Document controls
  • Prepare for client audits or questionnaires
  • Maintain compliance year over year

Why Being Proactive Matters for Vendors

Vendors who can confidently answer compliance questions have a clear advantage. Instead of reacting to client requests, they’re able to:

• Win business faster
• Build trust more quickly
• Avoid delays during onboarding
• Stand out from competitors who are unprepared

Strengthen Your Approach to NYS DFS and Compliance

While NYS DFS is designed for regulated financial institutions, its influence extends far beyond them. Having a clear and documented cybersecurity plan is now a must for all businesses. This applies whether you're directly regulated or part of the wider vendor ecosystem. It's not just about meeting regulations anymore; it's vital for your business's security and reputation.

Get ahead of these requests by partnering with a managed compliance provider like Usherwood. A proactive approach can help demonstrate your organization’s security maturity while protecting your business and employees. To learn more about NYS DFS or broader compliance requirements, request a technology evaluation or connect with a representative using our chat feature.