Sign Up for Our Newsletter
* indicates required

NYDFS Cybersecurity Compliance

NYDFS, or the New York State Department of Financial Services, requires financial service entities in New York to follow certain practices to protect clients. To be compliant general cybersecurity requirements must be met. Companies with under 10 employees, companies doing less than $5 million in gross annual revenue for three years, or companies who have less than $10 million in year-end assets (total) are exempt.

Those who must follow the regulations include insurance companies who do business in New York, mortgage and trust companies, state-chartered banks, licensed lenders, private bankers, foreign banks licensed in New York and service contract providers.

Beginning in 2018, companies must file an annual certification for NYDFS compliance.

Threatcare offers solutions for compliance with many of the requirements set by the New York State Department of Financial Services.

The Threatcare Suite plays a role in addressing:

a) Cybersecurity Programs

b) Cybersecurity Policies


d) Audit Trails

e) Risk Assessments

f) Security Personnel and Intelligence

g) Incident Response Plans, among other solutions.

More information on NYDFS compliance specifics:

(a) Section 500.02: “Establish a cybersecurity program based on periodic risk assessments and designed to identify and assess risks; protect information systems and nonpublic information; detect, respond to, and recover from cyber events; and fulfill all reporting obligations.”

(b) Section 500.03: “Create and maintain written policies and procedures for the protection of information systems and nonpublic information based on the company’s risk assessment.”

(c) Section 500.04: “Designate a CISO to oversee and implement the cybersecurity program. The CISO may be employed by the regulated entity, an affiliate, or a third-party service provider.”

(d) Section 500.06: “Maintain systems designed to recover material financial transactions following an event and audit trails to detect and respond to cybersecurity events.”

(e) Section 500.09: “Conduct bi-annual risk assessments that consider threats, particular risks to the entity, and an examination of existing controls in the context of identified risk.”

(f) Section 500.10: “Utilize qualified cybersecurity personnel or an ‘Affiliate or a Third-Party Service Provider’ sufficient to manage the organization’s risks and to perform or oversee the performance of the core cybersecurity functions.”

(g) Section 500.16: “Establish a written incident response plan for responding to and recovering from cybersecurity events.”

For further explanations and how you can map to NYFDS compliance, you can contact Threatcare for more information on the Threatcare Suite.