New NYSDFS Policies will have Larger Reach than Most Realize

New York business such as real estate title agencies, small lenders, even businesses that provide services to financial institutions are scrambling to find out if and how to comply with new state regulations. Here’s a quick rundown of DFS and who needs to worry about IT compliance.

The State of New York Department of Financial Services (DFS) has put into place an extensive cybersecurity process that must be followed by all businesses that are licensed by the DFS. The implementation of this policy is most likely a result of the exponential increase in security breaches we have seen in the past year or so. The DFS was created in 2011 by combining the NYS Banking department and the NYS Insurance department. It’s responsible for regulating financial services and products, including those involved with insurance, banking, and financial services laws.  Covered businesses were required the begin compliance by August 28th, 2017. So if this all sounds unfamiliar to you and you are at least a quasi-financial business, you’re already late. Some of these new polices will have a ripple effect that will affect companies that don’t even fall under the DFS umbrella, so I advise that you keep reading regardless of your business.

We’ve seen many downstream companies have to comply with regulations they don’t fall under, but their client does.  Like Visa asking vendors to be PCI compliant, even if they don’t touch credit card numbers, or GE asking independent vendors to comply with regulations that only publicly-traded companies are subject to.  This will happen with DFS as well.


A small number of financial businesses are partially exempt from some of these new DFS polices, depending on their size and revenue. A business will be exempt if any of the following apply:

-There are fewer than 10 employees including independent contractors

-There has been less than 5 million in gross annual revenue in each of the last three fiscal years

-There has been less than 10 million in year-end total assets, including assets of all Affiliates.

The exemption requirements are difficult to meet, so most businesses will still be affected. The first wave of polices being implemented took place on August 28th, and are as follows:


Program: Section 500.02 – All covered businesses will create a cybersecurity program that will protect the confidentiality, integrity, and availability of that businesses information systems.  The cybersecurity program must be based off the businesses Risk Assessment.

Cybersecurity Policy: Section 500.03 – All covered businesses will implement a written policy that must be approved by the board of directors (or the equivalent governing body). The written policy will put into place the procedures for the protection of the businesses information systems and nonpublic information in those systems. The written policy must address the following 14 areas:

  1. Information security
  2. Data governance and classification
  3. Asset inventory and device management
  4. Access controls and identity management
  5. Business continuity and disaster recovery planning and resources
  6. Systems operations and availability concerns
  7. Systems and networks security
  8. Systems and network monitoring
  9. Systems and application development and quality assurance
  10. Physical security and environmental controls
  11. Customer data privacy
  12. Vendor and Third Part Service Provider management
  13. Risk assessment
  14. Incident response

Access Privileges: Section 500.07 – Based off of the risk assessment, user access privileges to nonpublic information will be restricted and periodically reviewed/updated. Cybersecurity Personal: Section 500.10 – All cybersecurity personal must be updated on new security risks and the cybersecurity program. They also must have regular cybersecurity awareness training, and the company must elect a Chief Information Security Officer (CISO) if they have not done so yet.

Incident Response Plan (IRP): Section 500.16 – A written IRP must be implemented. The IRP must be written to be able to respond and recover from any security incident. It must address the internal process for the response of an incident, the goals of the IRP, external and internal communications and information sharing, identification of requirements for remediation of identified weaknesses, documentation and reporting, and necessary evaluation of the IRP after a security incident.

Notice of Cybersecurity Event: Section 500.17(a) – a cybersecurity event must be reported to the DFS superintendent within 72 hours of the event taking place.

All the previous polices have already been implemented and are being in force. The rest of these policies will be enforced down the road:


Compliance Certificate: Section 500.17(b) – By February 15th, 2018, a compliance certificate must be filed on the DFS website. It will be submitted in a similar form to that in 500.17(a) and will certify that the covered business is in compliance with the requirements set forth.

Limitations on Data Retention 500.13 – By September 3rd, 2018, each business will include policies and procedures for the removal on a periodic basis of and nonpublic information that is no needed for business operations and other business reason in their cybersecurity program.

Third Party Service Provider Security Policy: Section 500.11 – This is the piece that will affect most companies, even those not covered by the DFS. By March 1st, 2019, written polices will be put into place by the covered businesses in regards to the information systems and nonpublic information accessible/held by third party service providers. The covered businesses will conduct a risk assessment on theses third parties and set minimum cybersecurity standards that must be met in order to continue doing business with one another. Periodic risk assessments will be conducted for these third party vendors and will be adjusted as the DFS covered business sees fit. These means that many law firms, accounting firms, and other vendors will face new cybersecurity requirements. People who are against the new NYSDFS guidelines see this as a big problem for smaller firms with limited finances. Some may have a hard time gathering the necessary funds to bring their company up to their new cybersecurity codes. It’s advised for those companies to outsource their new IT needs to an IT firm that can cover their new expenses. Hiring an in house IT professional is much more expensive than outsourcing to the third party.  At Groff NetWorks, we pride ourselves in being able to offer companies an entire IT staff that is expert in these issues for less than the cost of hiring a single full-time Tier 1 technician.

If any companies need a boost in cybersecurity or needs help being IT compliant with NYDFS, Groff NetWorks would gladly step in to assist you in your IT needs. You can contact us on our website or call us at 518-320-8906. While some entities are worried about these new stringent policies set in place by the NYSDFS, no one is doubting that this will decrease cybersecurity threats. With hacking becoming a larger threat every day, this will be a step in the right direction and we may see other states follow the NYSDFS footsteps soon.



Groff NetWorks provides IT support and managed services for Troy, Albany, and Schenectady businesses at a price that doesn’t break the bank.