Uncovering the NYDFS and how it applies to your data

The NYDFS stands for the New York State Department of Financial Services. It is a state-level regulatory agency in New York that oversees and regulates financial services companies and institutions, including banks, insurance companies, and other financial services providers. The NYDFS has the authority to issue licenses, examine companies for compliance with state laws and regulations, and enforce penalties for violations of those laws and regulations.

The New York State Department of Financial Services (NYDFS) Cybersecurity Regulation (also known as Part 500) is a set of rules and guidelines established by the NYDFS to protect financial institutions and other covered entities from cyber threats. The regulation requires covered entities to establish and maintain a comprehensive cybersecurity program, including the implementation of certain specific controls and procedures. These include risk assessments, incident response plans, access controls, data encryption, and regular penetration testing and vulnerability assessments. The regulation also requires covered entities to appoint a Chief Information Security Officer (CISO) and to provide regular reports to the NYDFS on their cybersecurity program and any incidents that occur. The regulation came into effect in March 2017 and applies to any entity that is regulated by the NYDFS, including banks, insurance companies, and other financial services providers.

Who falls under the NYDFS jurisdiction

The NYDFS Cybersecurity Regulation (Part 500) applies to any entity that is regulated by the New York State Department of Financial Services (NYDFS), including:

1. Banks
2. Insurance companies
3. Mortgage companies
4. Money transmitters
5. Licensed lenders
6. Virtual currency companies
7. Private equity firms
8. Investment companies
9. Other financial services providers

It applies to any entity that has a “place of business” in New York State, regardless of where the entity is incorporated or headquartered. This includes any entity that operates in the state through a branch, subsidiary, or affiliate. It also includes any entity that is not physically located in New York but conducts business with New York residents, customers or clients.

How is conducting business with residents defined

The regulation does not explicitly define what is considered “conducting business” with New York residents, customers or clients, but it is generally understood to refer to any activities that involve providing financial services or products to individuals or businesses located in New York, or that involve the handling of New York residents’ personal or financial information.

Examples of activities that may be considered “conducting business” with New York residents, customers or clients include:

1. having customers or clients located in New York
2. accepting payments or financial transactions from New York residents
3. holding or managing assets or funds belonging to New York residents
4. providing financial advice or services to New York residents
5. Having any sort of operations in the state of New York

It is important to note that the interpretation of “conducting business” with New York residents, customers or clients is ultimately up to the NYDFS and the way it is enforced.

Covered companies responsibilities under the NYDFS

Under the NYDFS Cybersecurity Regulation (Part 500), companies are required to establish and maintain a comprehensive cybersecurity program to protect their systems and sensitive data from cyber threats. The regulation sets out specific requirements for the program, which include:

1. Risk Assessments: Companies must conduct regular risk assessments to identify and assess the potential cybersecurity risks to their systems and data.
   
2. Incident Response Plans: Companies must have an incident response plan in place that outlines procedures for responding to cybersecurity incidents and breaches.
   
3. Access Controls: Companies must implement controls to ensure that only authorized individuals have access to sensitive data and systems.
   
4. Data Encryption: Companies must implement encryption for sensitive data in transit and at rest.
   
5. Penetration Testing and Vulnerability Assessments: Companies must regularly conduct penetration testing and vulnerability assessments to identify and address vulnerabilities in their systems.
   
6. Training: Companies must provide regular cybersecurity training to their employees.
   
7. Appointment of Chief Information Security Officer (CISO): Companies must appoint a CISO who is responsible for overseeing the cybersecurity program and ensuring compliance with the regulation.
   
8. Reporting: Companies must provide regular reports to the NYDFS on their cybersecurity program and any incidents that occur.

Additionally, the regulation also requires companies to establish a written cybersecurity policy, implement multi-factor authentication, and limit data retention.

NY Consumers rights under the NYDFS

The NYDFS Cybersecurity Regulation (Part 500) is primarily focused on ensuring that financial institutions and other covered entities have adequate cybersecurity measures in place to protect sensitive data and systems from cyber threats. The regulation does not specifically provide for any rights for consumers in relation to cybersecurity, but it does require that companies provide regular reports to the NYDFS on their cybersecurity program and any incidents that occur.

However, in the event of a data breach, certain rights are given to consumers under New York State’s General Business Law, where companies are required to notify affected individuals in the event of a data breach and provide them with certain information such as the type of data that was compromised, and what steps the company is taking to mitigate the situation.

Additionally, consumers in New York are also protected by federal laws such as the Gramm-Leach-Bliley Act (GLBA) and the Health Insurance Portability and Accountability Act (HIPAA) which require financial institutions and healthcare providers, respectively, to protect sensitive personal information and notify affected individuals in the event of a data breach.