In January 2017, the New York Department of Financial Services adopted a rule requiring covered entities to adopt a comprehensive cybersecurity program.  In particular, the cybersecurity program must:

  • identify internal and external risks to Nonpublic Information (NPI);
  • use defensive infrastructure, policies, and procedures, to protect Information Systems;
  • detect Cybersecurity Events;
  • respond to, mitigate the effects of, and recover from Cybersecurity Events; and
  • fulfill all reporting obligations.1

Other requirements of the rules include:

  • All Covered Entities must also implement written policies and procedures concerning risk assessment and conduct risk assessments of their Information Systems periodically, and must implement a written incident response plan to respond to and recover from any Cybersecurity Event that affects the Covered Entity’s Information Systems or business.2
  • All Covered Entities also must implement written policies and procedures concerning Third-Party Service Providers.3
  • Covered Entities must designate a qualified individual to oversee and implement the Covered Entity’s cybersecurity program and enforce its cybersecurity policy, serving as Chief Information Security Officer (CISO) or in a comparable position.4

The rules also include a number of technical, reporting, and recordkeeping requirements of which covered entities must be aware.  In particular, the rules impose a 72-hour notification requirement for certain Cybersecurity Events that meet threshold triggers.5


1 N.Y. Codes R. & Regs. tit. 23, § 500 (2017).

2 Id. § 500.2-3, 16.

Id. § 500.11.

Id. § 500.4.

5 Id. § 500.17.

You are currently offline.