Skip to main content

As of November 1, 2024, the new amendments to the New York State Department of Financial Services (NYDFS) Cybersecurity Regulations have officially come into play. These regulations are significant for financial institutions, insurance companies, and other businesses under NYDFS supervision, as they require organizations to upgrade their cybersecurity frameworks, policies, and procedures. It’s not just about ticking off regulatory boxes. These regulations are designed to help organizations build a robust defense against cyber threats, ensuring long-term security and customer trust.

A Quick Look Back at the Regulations

The NYDFS first introduced its comprehensive cybersecurity regulations on March 1, 2017. The initial intent was to ensure that financial services companies and other regulated entities could effectively safeguard sensitive customer data. In November 2023, these regulations were amended, and now, as of November 1, 2024, key provisions have come into effect, reshaping how businesses address cybersecurity.

Who Is Affected by These Regulations?

If your company is a covered entity, you are subject to these regulations. This includes organizations like:

  • Financial institutions
  • Insurance companies
  • Mortgage brokers
  • Money transmitters
  • Check cashers
  • And many other financial service providers

These regulations apply to all covered entities, but it’s important to note that Class A companies, which are typically large firms, will have additional requirements to comply with. Small businesses, on the other hand, may be exempt from some of the provisions.

Key Changes Effective as of November 1, 2024

The amended regulations enforce stricter rules around several core aspects of cybersecurity, requiring businesses to ensure that their systems, processes, and policies meet modern standards. Here’s a breakdown of some key provisions that took effect on November 1, 2024, and how they affect your organization:  

1. Corporate Governance and Oversight – Section 500.04

One of the most significant changes involves corporate governance. Under Section 500.04, the Chief Information Security Officer (CISO) is now required to regularly report cybersecurity issues to the board of directors or senior governing body. This includes reporting on significant cybersecurity events and any material changes to the organization’s cybersecurity program.

Moreover, the senior governing body must oversee cybersecurity risk management, ensuring they have the knowledge and information to exercise this oversight effectively. This change elevates cybersecurity from an IT concern to a core business issue that needs to be understood and managed at the highest levels.

2. Encryption of Nonpublic Information – Section 500.15

Data encryption is no longer just a best practice; it’s a mandatory requirement under Section 500.15. All nonpublic information—both in transit and at rest—must be encrypted according to industry standards. Organizations can only use compensating controls for data at rest if these alternatives are approved by the CISO in writing.

For businesses handling large volumes of sensitive data, this shift demands significant upgrades to encryption systems and processes, ensuring that customer information is always protected against breaches.

3. Incident Response Plan – Section 500.16

Preparedness is key when it comes to cybersecurity, and the amended regulations enforce a detailed approach to incident response under Section 500.16. Covered entities must have a written incident response plan that outlines how they will respond to cybersecurity events, including:

  • Internal response procedures
  • How backups will be used for recovery
  • How the organization will conduct root cause analysis post-event

Incident response planning must be thorough and include annual testing to ensure that all aspects, from detection to recovery, are fully functional.

4. Business Continuity and Disaster Recovery – Section 500.17

In today’s threat landscape, businesses must be ready to recover quickly from cyber incidents. Section 500.17 mandates that covered entities establish a comprehensive business continuity and disaster recovery (BCDR) plan. The plan should cover how to maintain critical operations and restore them from backups in the event of a cybersecurity breach.

These plans must be regularly tested to ensure effectiveness, and employees responsible for implementing them must receive thorough training on their roles and responsibilities.

5. Employee Cybersecurity Training – Section 500.14

Cybersecurity isn’t just an IT responsibility—it’s everyone’s responsibility. Under Section 500.14, organizations must provide regular training for all employees, especially those who are responsible for implementing the incident response and disaster recovery plans.

This provision aims to build a culture of security within companies, ensuring employees are aware of current cyber threats and know how to respond in case of an incident. Security awareness training is essential to prevent common threats like phishing attacks from compromising sensitive data.

6. Access Controls and Identity Management – Section 500.07

With the increase in remote work and digital transformation, identity management has become more crucial than ever. Section 500.07 mandates strong access control measures, including multi-factor authentication (MFA), to limit access to sensitive data. Organizations must also enforce identity management solutions to ensure that only authorized individuals can access critical systems.

Class A Companies vs. Exemptions

One of the important distinctions in these regulations is that Class A companies (large organizations meeting specific thresholds) have more stringent requirements. These companies face additional scrutiny, including enhanced risk assessments and stricter governance.

Smaller companies and certain other businesses, however, may qualify for exemptions from some of the regulations. It’s important for organizations to thoroughly review the amended regulations to see if they qualify for any exemptions or additional obligations.

The Road Ahead for 2025

While many of these regulations are effective now, other provisions are scheduled to take effect throughout 2025. This phased approach allows companies time to adapt their policies and practices, especially those related to more complex governance and technical requirements.

If your organization falls under NYDFS jurisdiction, staying compliant isn’t just about avoiding penalties; it’s about ensuring that your business and customers’ data remain secure in an increasingly dangerous cyber landscape.

Holistic Cybersecurity Measures

The NYDFS amendments require organizations to strengthen various aspects of their cybersecurity frameworks. These measures ensure that businesses are fully equipped to manage, protect, and recover from cyber threats. Here are the key areas covered by the updated regulations:

  • Information Security & Risk Management: Establishing strong information security policies is fundamental. You need to have effective risk management practices in place to identify and mitigate potential threats to your systems and data (Section 500.02).
  • Data Governance, Classification, and Retention: Clear policies for data governance, including classification and retention, ensure that sensitive information is handled securely throughout its lifecycle (Section 500.03).
  • Asset Inventory & Device Management: Maintain an accurate inventory of all your devices and systems. Effective management and secure disposal of end-of-life assets are essential to avoid potential security gaps (Section 500.11).
  • Access Controls & Identity Management: Restricting access to sensitive data is crucial. This includes enforcing strict identity management policies and controlling remote access to ensure that only authorized individuals can access critical systems (Section 500.07).
  • Business Continuity & Disaster Recovery: Have clear business continuity and disaster recovery plans in place, including backup strategies to restore essential operations during a cyber event (Section 500.17).
  • Systems Operations & Availability: Your systems must be continuously available and operational. This includes monitoring for vulnerabilities and ensuring uptime for critical services.
  • Network & System Security: Implementing network security protocols, monitoring systems for intrusions, and regularly testing your security infrastructure are all necessary to protect against cyber threats (Section 500.09).
  • Security Awareness & Employee Training: Equip your employees with the knowledge to spot cyber threats and understand their role in maintaining a secure environment. Regular training ensures everyone is prepared (Section 500.14).
  • Application & Systems Security: Make sure your applications and systems are secure through ongoing testing and development practices. This includes quality assurance measures to prevent vulnerabilities from entering your production environment (Section 500.06).
  • Physical Security & Environmental Controls: Safeguard your physical infrastructure with appropriate security measures, including access controls and environmental monitoring to protect against physical threats.
  • Customer Data Privacy: Protect customer data with strong privacy measures that comply with legal and regulatory requirements, keeping their sensitive information secure (Section 500.05).
  • Vendor & Third-Party Risk Management: It’s critical to manage risks associated with third-party vendors. Secure the supply chain and ensure your partners follow similar security practices (Section 500.11).
  • Risk Assessment: Perform regular assessments to identify and evaluate risks to your organization. This helps you prioritize actions based on the most critical threats (Section 500.02).
  • Incident Response & Notification: Be prepared with a clear plan for detecting, responding to, and notifying relevant parties about cybersecurity incidents (Section 500.16).
  • Vulnerability Management: Continually assess and manage vulnerabilities to prevent attacks from exploiting weaknesses in your systems (Section 500.09).

Strobes Expertise in NYDFS Cybersecurity Regulations

At Strobes, we’re fully prepared to help your organization comply with the updated NYDFS Cybersecurity Regulations. Our solutions in Continuous Threat Exposure Management (CTEM), Risk-Based Vulnerability Management (RBVM), Penetration Testing as a Service (PTaaS), Attack Surface Management (ASM), and Application Security Posture Management (ASPM) ensure that your cybersecurity strategies align with the latest requirements.

How Strobes Can Help:

  1. Continuous Threat Exposure Management (CTEM) – Aligns with Sections 500.05 and 500.12 by providing real-time monitoring and risk management, enhancing your access control and supporting proactive risk management.
  2. Risk-Based Vulnerability Management (RBVM) – Supports Sections 500.06 and 500.11 by helping prioritize vulnerabilities based on risk levels and integrating them into your incident response plans.
  3. Penetration Testing as a Service (PTaaS) – Aligns with Sections 500.09 and 500.13 to simulate real-world attacks and identify weaknesses in your security measures and third-party relationships.
  4. Attack Surface Management (ASM) – Helps monitor your external attack surface in line with Section 500.05, identifying vulnerabilities before they become major issues.
  5. Application Security Posture Management (ASPM) – Continuously assesses application vulnerabilities, in line with Section 500.09, to ensure ongoing security and compliance.

How Strobes Supports Your Compliance Journey

With CTEM, RBVM, PTaaS, ASM, and ASPM, Strobes offers tools that help your organization comply with the NYDFS Cybersecurity Regulations. We address the following critical areas:

  • Cybersecurity Program and Risk Management (Sections 500.05 & 500.06)
  • Incident Response and Reporting (Section 500.16)
  • Vulnerability Management and Penetration Testing (Sections 500.09 & 500.11)
  • Access Control and Third-Party Management (Sections 500.12 & 500.13)

Our solutions work seamlessly with your cybersecurity strategy, ensuring compliance with the latest regulatory requirements while improving your overall security.

What’s Next?

With the NYDFS regulations now in full effect, it’s essential for covered entities to ensure their cybersecurity policies and procedures are updated. Noncompliance could result in penalties or worse cyberattacks that could cause significant financial and reputational damage.

At Strobes, we’re ready to support you in navigating the updated regulations, helping you build a robust cybersecurity strategy that meets all the new requirements. 

For more detailed insights into the full set of amendments and requirements, refer to the official NYDFS document here: Amended NYCRR Part 500.

Shubham Jha

Shubham is a Senior Content Marketing Specialist who trades in ones and zeros for words and wit. With a solid track record, he combines technical proficiency with creative flair. Currently focused on cybersecurity, he excels at turning complex security concepts into clear, engaging narratives. His passion for technology and storytelling makes him adept at bringing intricate data to life.

Close Menu