Some Essentials of NY DFS Cybersecurity Compliance and Reporting

Some Essentials of NY DFS Cybersecurity Compliance and Reporting

Take steps to protect your organization, and be sure to always report an attempted breach

NYCRR 500 requires entities overseen by the New York Department of Financial Services (DFS) to comply with strict standards of cyber security. You can find a summary of the program here, a more in-depth paper here, and a list of frequently asked questions via this resource.

In this blog, we’re taking a look at the essential steps in getting a cyber-protection framework in place and how to report to DFS after a breach.

Who is affected and the price for non-compliance

NYCRR 500 states that you must comply with the law if you are a person or business operating under (or required to operate under) a license, registration, charter, certificate, permit, accreditation, or similar authorization in New York’s financial services, banking, or insurance sectors. You can refer to our earlier blog on this subject for a list of affected entities and which of them qualify for limited exceptions.

Last August required mandatory compliance with four basic but crucial steps. When they’re all adhered to, businesses will be far better positioned to protect sensitive data from a breach.

The primary step is for covered entities to implement their own cybersecurity program. This program should consist of clearly-defined policies and procedures, while also requiring the drafting of an incident response plan. There is no “one size fits all” program plan here; each individual entity must assess all risks relevant to their particular business model and systems. All senior management staff must review and approve the program.

Next is the appointment of a qualified CISO (Chief Information Security Officer) whose job it is to oversee the successful implementation of the security steps. Their expertise will allow a business to stay current with their existing cybersecurity model, as keep abreast of the latest developments in threat prevention and response.

In direct relation to the CISO requirement is the responsibility of businesses to periodically review access privileges to computer networks and confidential data. A member of a covered organization can be nominated by the CISO to keep watch on who is granted access to what, as well as where and when (this is the core of behavior-based cyber protection).

What if there’s a data breach?

In the unfortunate event of a data breach, the incident must be reported to the DFS within 72 hours even if the criminal attempt was unsuccessful. Success is not the only measure of a cyber attack’s impact; every attack is a cause for concern and should be registered with the DFS. The severity of the data breach must be assessed to ascertain how likely it is to impact operations, and how badly.

How and where to file

The DFS makes it simple and quick to report any incident. You can access their website and click on the orange highlighted icon near the top of the page.

How CyberGuard 360 can help

If you’re concerned about NYCRR 500 and all of its requirements, we specialize in helping companies stay compliant.

Compliance deadline reminders are only one of our many services. We also help with cyber and business policy templates, incident response plans, technology solutions, and much more. We safeguard your organization from advanced malware attacks, exploits, drive-bys, script-based attacks, and other dangers.

Half of all cyber-attacks in America are targeted at small- to medium-sized business, but we’re here to make sure that figure doesn’t scare you. An amazing 97% of data loss is preventable if your data is protected where it is created, accessed, and stored. Our services offer protection and peace of mind against anything computerized crime can throw at you.

A further resource

You can sign up for weekly free security tech tips on our website. If you’re in the New York area this August, consider attending the New York City Cyber Security Conference on the 23rd of the month, where the latest in cybersecurity information, educational presentations, and product and service research will be available.

CyberGuard 360’s clients across four states and 40 industries are guided safely through the threat landscape. Our wide array of services includes system security suites, risk assessment, education, and training and disaster recovery. If you’d like us to put our expertise to work for you, we’d be happy to help. Call us at 844-315-9882 or use our contact form for a free consultation.


Looking for cyber security solutions for your company? Click here to learn more about our CyberGuard360 solutions.