NYS DFS Cybersecurity Regulation: New Compliance Requirements
Effective November 1, 2024, the New York State Department of Financial Services (DFS) Cybersecurity Regulation introduces key updates impacting Class A, Standard, and Small Businesses handling sensitive data.
Who is Impacted? Your business is affected if it meets any of the following:
Over $20 million in gross annual revenue in the last two fiscal years
Over 2,000 employees in each of the last two fiscal years
Over $10 million in year-end total assets for the last two fiscal years
Handling Nonpublic Information (NPI) for over 100,000 consumers
Not sure if your business is exempt?
Check if you qualify for a full or partial exemption by using the DFS Exemption Check.
Key Compliance Requirements:
Cybersecurity Governance
CISOs must report on material cybersecurity issues and provide regular updates on risk management to senior governing bodies.
(DFS Section 500.4)Encryption of Nonpublic Information (NPI)
A written encryption policy meeting industry standards is required. Compensating controls are only allowed for NPI at rest, with annual CISO approval.
(DFS Section 500.15)Incident Response and Business Continuity (BCDR)
Update and test IR and BCDR plans annually. Train staff involved in implementing these plans and ensure data backups are secure and tested.
(DFS Section 500.4)
Next Steps:
Review and update your cybersecurity policies
Ensure NPI encryption meets requirements
Test and revise IR and BCDR plans
Need help? Contact Attronica.ai to ensure compliance and help protect your business with the cybersecurity solutions that are reasonable for your business.