New York

Department of Financial Services

 Cyber Regulation 2017

 Effective date: March 1, 2017

The most significant cyber regulation in history

The regulation affects all financial institutions under the purview of the NY DFS.

Are you prepared to act?

  • CEOs and Boards of Directors will be responsible for certifying compliance for cybersecurity
  • Focus is on integrity and availability of data
  • This is process based vs. outcome based
  • Cyber insurance may not cover fines/penalties for non-compliance

NY DFS Cyber Regulation



Table Stakes for Compliance

Two Industry Thought Leaders: Chip Block, Vice President of Evolver. and Rick Borden, Counsel of Robinson & Cole, come together for this much needed and urgent legal and technical discussion for business executives.


Topics for the cyber webinar:

  • New details on the final New York Department of Financial Services Cyber Regulation
  • How the cyber risk assessment will shape your policies & procedures
  • Tangible methods to prepare for the sprint to the compliance deadline
Watch recording of webinar

With the number and magnitude of cyber events steadily increasing, the financial industry continues to be a significant target. The State of New York’s cyber regulations, covering banks, insurance companies, and other financial institutions licensed in New York, endeavor to protect these organizations from the debilitating losses associated with a cyber event.  The result of this effort is by mandating multiple comprehensive policies, stringent standards, and C-Suite certifications.

Achieving compliance with these far reaching cybersecurity requirements for financial institutions will require a combination of technical and legal advice.

If you are uncertain about the proposed regulations, your obligations, or the potential impact, Evolver will help you through the process. Working together, we will assess your current cyber profile and address the areas where your organization is non compliant.

New York Department of Financial Services Cyber Requirements

  • Establishment of Qualified Chief Information Security Officer (“CISO”)
  • Penetration Testing Vulnerability Assessments Encryption of Data at Rest and in Transit
  • Preservation of Audit Data (to reconstruct transactions and cyber events)
  • Data Minimization
  • Notices to Superintendent
  • Risk Assessment (Basis for other policies and procedures/actions)
  • Written Cybersecurity Policy
  • 3rd Party Information Security Policy
  • Limitations on Data Retention
  • Training & Monitoring
  • Incident & Response Plan
  • Application Security
  • CISO Assessment
  • Risk Assessment (outcome used to develop policies and procedures)
  • Annual Statement of Compliance (by named C-Suite or Chairman of the Board)
  • Notice of material Cybersecurity Event (within 72 hours)