NYDFS Cybersecurity September 3, 2018 Deadline Approaches – Are You Ready?

by Dauna Williams & Arian Jabbary

August 10, 2018

Follow Us

September 3, 2018 marks the latest deadline under the New York Department of Financial Services (“NYDFS”) Cybersecurity Regulation 23 NYCRR 500.  This regulation applies to all financial services companies that are regulated by the NYDFS.

By September 3, the NYDFS requires that affected companies have in place the next in a series of mandated cybersecurity safeguards.  Specifically, it requires affected companies have in full compliance (i) a clear audit trail of shared sensitive data moving into and out of the business at any given time (Section 500.06), (ii) application security policies and procedures (Section 500.08), (iii) data retention limitation policies and procedures (Section 500.13), (iv) authorized users policies and procedures (Section 500.14a), and (v) an encryption protocol for all nonpublic information (Section 500.15).

“Included in each company’s cybersecurity policy should be best practices for data retention and disposal.”


Released in February of 2017, the NYDFS cybersecurity regulations set out requirements for how financial institutions should deal with the security and breach challenges reshaping the industry. The roll-out of these rules affect all NYDFS-regulated entities, including but not limited to state-chartered banks, licensed lenders, mortgage companies, insurance companies, and foreign banks licensed by NY State. Such entities must certify to the NYDFS annually that they remain in full compliance. The regulation says that affected companies must install a Chief Information Security Officer (CISO) tasked with devising an extensive cybersecurity policy and corresponding program. The program must identify existing cybersecurity threats, prevent potential future threats, recover from past breaches, and report cybersecurity dangers to NYDFS. Included in each company’s cybersecurity policy should be best practices for data retention and deletion. Companies should not keep data any longer than necessary for their operations, unless required by law. Companies should safely and securely dispose of data they no longer need. Lastly, the security officer must also file an annual written report to the company’s board for approval.

Certificates of compliance, which must be filed annually with the DFS by February 15 for the prior calendar year. If a company has not yet certified with NYDFS, it should do so as soon as possible via NYDFS’s website. Companies that fail to comply run the risk of penalties.

The complete rules can be read via the NYDFS website, here. NYDFS has also made available a set of FAQ that they update, from time to time.

 Please contact BurgherGray if you have any questions or if you would like a review of your company’s privacy program.


ATTORNEY ADVERTISING. The information contained herein may constitute attorney advertising in certain jurisdictions and, in any event, should not be construed as legal advice with respect to any specific fact or circumstance. The information was prepared and is provided by BurgherGray LLP for general information purposes only and should not be used or relied on as a substitute for competent legal advice from an appropriately licensed attorney at law.  Neither the provision by BurgherGray or the use by you of the information presented herein creates any attorney-client relationship between you and BurgherGray LLP.  Any prior result included in the information does not guarantee or imply a similar result or outcome in other matters.

1350 Broadway | Suite 406
New York, NY 10018
T: 646.513.3231 | F: 646.561.9866



This website contains attorney advertising. Prior results do not guarantee a similar outcome | Copyright © 2020. All rights reserved. Terms & Conditions and Privacy Policy

Pin It on Pinterest

Share This