The New York State Department of Financial Services (NYS DFS) Cybersecurity Regulation, or 23 NYCRR 500, started in 2017 and had major updates in 2023. Many leaders have heard of DFS, but few comprehend what it means for their operations, decision-making, and accountability.
NYS DFS regulation requires organizations to understand their cyber risk, put reasonable safeguards in place like frameworks or policies, assign accountability, and be prepared to respond if a cyberthreat appears.
It applies to organizations that are regulated by NYS DFS under the New York Banking Law, Insurance Law, or Financial Services Law.
This is a requirement, not optional guidance. It is an enforceable regulation, and organizations can face consequences if they fail to meet the requirements.
Financial organizations are prime targets for cyberattacks because of the importance of their data and inconsistent security approaches raise risk of a breach.
DFS regulation exists to ensure organizations know their risks, put protections in place to proactively prevent risks, monitor for threats, respond quickly, and take accountability.
You need a documented cybersecurity program that explains how your organization protects its systems, information, and operations. This is the baseline to proving you are taking action against threats.
You need a written risk assessment. Review it regularly and update it at least once a year. Also, revisit it whenever your organization's cyber risks change significantly.
Organizations need a regular process for managing vulnerabilities. This should include ongoing testing and reviews of systems. At a minimum, this includes penetration testing at least once a year from both inside and outside the environment, based on the organization’s risk.
Organizations need basic security controls, like Zero Trust to help protect sensitive information. This looks like:
You need the ability to detect suspicious activity, respond to incidents, and recover business operations if a cybersecurity event occurs.
If a cyber attack does take place they must be reported to NYS DFS within 72 hours. In some cases, extortion payments also have to be reported within 24 hours, with follow-up details provided later.
You need to evaluate vendor risk and keep an eye on third parties that access your systems, information, or essential services.
Without awareness, security threats are much more likely to exist. Employees need regular cybersecurity awareness training so they can recognize threats such as phishing, social engineering, and unsafe behavior.
It is not enough to say controls are in place. You need documentation and evidence that show how your organization is meeting the requirements that apply to it.
Leadership is expected to be involved. Each year, the organization must submit a filing signed by a member of leadership. This filing either confirms compliance or notes areas that still need work. Beyond this requirement, leadership should be heavily involved in ensuring there is a tested plan in place for responding to a security breach. Responsibility cannot and should not fall solely on IT.
The regulation also requires written cybersecurity policies and procedures. In plain terms, that means leadership should expect documented rules for how the organization protects systems, data, access, vendors, operations, and incident response.
The 2023 updates raised the bar.
They focus more on:
Larger organizations classified as Class A companies have additional obligations.
If your organization is covered by NYS DFS, you need more than good intentions.
You need a strong cybersecurity program. This includes:
These elements work together to ensure DFS security regulations are compliant.
Even if your business is not directly regulated by the New York State Department of Financial Services (NYS DFS), you may still feel its impact.
Companies under DFS regulations, like insurance carriers, banks, and financial institutions, are raising their cybersecurity expectations for their vendors.
If you’re a vendor such as a law firm, marketing agency, or technology provider you may encounter requests like:
For example: A law firm onboarding a major insurance company may be asked to provide proof that it follows secure data handling practices. The firm isn't legally bound by NYS DFS, but the client must manage third-party risk. That includes your business.
In most cases, your client is not expecting you to be fully DFS-compliant.
Instead, they want to see that you have:
If NYS DFS doesn’t apply directly, vendors often align with more flexible frameworks, such as:
These frameworks can help you meet client expectations without needing to adopt DFS in full.
If you get requests about cybersecurity or compliance, don’t ignore them. They are becoming common, and you’ll likely face similar questions later.
Here’s how to approach it:
Vendors who can confidently answer compliance questions have a clear advantage. Instead of reacting to client requests, they’re able to:
While NYS DFS is designed for regulated financial institutions, its influence extends far beyond them. Having a clear and documented cybersecurity plan is now a must for all businesses. This applies whether you're directly regulated or part of the wider vendor ecosystem. It's not just about meeting regulations anymore; it's vital for your business's security and reputation.
Get ahead of these requests by partnering with a managed compliance provider like Usherwood. A proactive approach can help demonstrate your organization’s security maturity while protecting your business and employees. To learn more about NYS DFS or broader compliance requirements, request a technology evaluation or connect with a representative using our chat feature.