NYDFS Cybersecurity Regulation

On 1 November 2023 the New York State Department of Financial Services (NYDFS) adopted the second amendment to 23 NYCRR Part 500, its cornerstone Cybersecurity Regulation. The amendment, effective 1 December 2023, introduces heightened requirements for board governance, incident notification, privileged access, business continuity, and third-party risk. It creates a new category of “Class A companies” with improved obligations, expands annual certification to include board attestation, mandates tighter monitoring of privileged accounts, and increases expectations for data retention and logging—all of which intersect with DSAR responsibilities under privacy laws such as the Gramm-Leach-Bliley Act (GLBA), New York’s SHIELD Act, and state privacy regimes.

Governance upgrades and accountability

The amendment codifies board-level oversight by requiring the senior governing body (for example, board of directors) to approve the cybersecurity program and incident response plan annually. Boards must ensure the chief information security officer (CISO) has adequate independence, resources, and authority. They must also receive regular reports on cyber risks, security posture, material deficiencies, and remediation plans. Governance charters should assign responsibility for reviewing cybersecurity policies, business impact analyzes, and DSAR metrics, recognizing that logging and data retention controls underpin accurate responses to consumer and employee requests.

The regulation now requires the CISO to timely report material cybersecurity issues to the senior governing body and senior management. Organizations must document reporting cadences, escalation thresholds, and evidence of board review. Audit committees should integrate NYDFS compliance into enterprise risk management, aligning with Sarbanes-Oxley (SOX) controls and GLBA safeguards. Maintain minutes referencing DSAR considerations, particularly how log retention and access reviews support rights to access, correction, and deletion.

Class A company requirements

Class A companies—financial institutions with at least $20 million in gross annual revenue from New York business and either over $1 billion in gross annual revenue across all operations or over 2,000 employees—face improved obligations:

• Independent audits: Annual independent audits of the cybersecurity program, including testing of privileged access management, logging, and DSAR-related evidence preservation.
• Privileged access management (PAM): Automated access reviews, just-in-time access, and privileged session monitoring. These controls must ensure DSAR case managers can review and document access to personal data during incident investigations.
• Endpoint detection and response (EDR): Deployment of EDR tools with centralized monitoring and logging. Ensure logs are retained for the minimum 3-year period required for DSAR verification, regulatory reporting, and forensic investigations.
• Network segmentation: Implementation of zero trust architecture elements to reduce lateral movement. Document how segmentation protects DSAR systems and consumer data repositories.

Even non-Class A companies must update risk assessments, implement multi-factor authentication (MFA), and maintain asset inventories. All covered entities should map these controls to DSAR processes, verifying that identity verification tools, case management systems, and secure file transfers meet logging and retention requirements.

Incident reporting and logging

The amendment tightens incident notification: covered entities must notify NYDFS within 72 hours of any cybersecurity event where an unauthorized user gains access to a privileged account or when a ransomware deployment occurs. They must also report to NYDFS within 24 hours of making a ransomware payment and submit a follow-up report within 30 days detailing alternatives considered. These timelines require full logging and forensic readiness. Maintain immutable logs of privileged activity, DSAR systems, and data repositories, ensuring that evidence is available to regulators and data subjects seeking confirmation of whether their data was implicated.

NYDFS now requires annual penetration testing for Class A companies and periodic for others, as well as annual cybersecurity awareness training that includes social engineering testing. Logs must be monitored for anomalous activity, with automated tools to detect and respond to incidents. DSAR teams should receive alerts when breaches impact data subject request histories, enabling rapid communication to affected individuals consistent with GLBA and SHIELD Act breach notification obligations.

Business continuity, disaster recovery, and DSAR preservation

Covered entities must maintain business continuity and disaster recovery (BCDR) plans that include procedures for maintaining access to critical data and systems. The amendment clarifies expectations for backup frequency, offline storage, and testing. DSAR processes must be embedded into BCDR plans, ensuring that request intake, verification, and fulfillment can continue during disruptions. Maintain replicated DSAR case management systems, document fallback communication channels, and test DSAR continuity during tabletop exercises. Ensure backups preserve DSAR records and related audit trails to satisfy regulatory inquiries and consumer rights.

Third-party risk management and data sharing

NYDFS expands third-party risk requirements, mandating risk-based assessments, minimum cybersecurity practices for service providers, and contractual clauses addressing incident notification, MFA, and data handling. Controllers must ensure third-party vendors supporting DSAR operations—such as identity verification providers, secure messaging platforms, and data discovery tools—comply with NYDFS standards. Contracts should require timely support for DSAR responses, logging, and breach notifications. Maintain vendor inventories with classifications reflecting access to personal data, privileged systems, or DSAR records.

When sharing data with affiliates or outsourcing DSAR processing, perform due diligence on privacy and security controls. Document cross-border data transfers, ensuring compliance with international privacy laws and DSAR reciprocity. Implement continuous monitoring of third-party controls, using questionnaires, certifications (SOC 2, ISO 27001), and onsite assessments.

Risk assessments and control testing

The amendment requires risk assessments to be updated annually and whenever a material change occurs. Assessments must evaluate the adequacy of controls across governance, identity, access, data management, and DSAR operations. Incorporate scenarios involving ransomware, insider threats, supply chain attacks, and DSAR fraud. Use quantitative scoring to focus on remediation and report outcomes to the board.

Conduct regular testing of access controls, logging, and DSAR workflows. Validate that DSAR portals enforce MFA, audit trails capture case activity, and retention schedules align with regulatory requirements. Internal audit should review cybersecurity and DSAR processes at least annually, with Class A companies subject to independent audit validation.

Training and culture

NYDFS emphasizes cybersecurity awareness for all employees and specialized training for privileged users. Expand curricula to include DSAR security—teaching staff how to recognize fraudulent requests, protect identity verification data, and escalate suspicious activity. Provide board-level education on NYDFS obligations, DSAR interactions, and oversight responsibilities. Track training completion rates and effectiveness through phishing simulations and tabletop exercises.

Key metrics

Develop metrics to monitor compliance: number of privileged accounts with MFA, time to detect and respond to incidents, DSAR response times, volume of third-party risk assessments completed, and status of remediation actions. Provide dashboards to executive leadership and the board, highlighting trends and areas needing attention. Prepare annual certifications, including board attestation, supported by evidence of control effectiveness and DSAR performance.

Immediate next steps

Within 60 days, finalize governance updates, refresh risk assessments, and document setup plans for Class A controls where applicable. Within 120 days, deploy improved logging, privileged access monitoring, and DSAR-integrated incident response procedures. Prior to the phased compliance deadlines in 2024 and 2025, conduct independent audits, validate BCDR capabilities, and ensure vendor contracts reflect new requirements. By embedding DSAR considerations into cybersecurity governance, financial institutions can comply with NYDFS’s second amendment while reinforcing consumer trust and resilience.

You may also find useful

Hand-picked articles on adjacent topics.

Compliance · Credibility 86/100 · November 1, 2024

NYDFS cybersecurity regulation

November 1, 2024 is the hard deadline for NYDFS cybersecurity compliance. MFA on privileged accounts, EDR deployment, and independent audits—if you do not have these done, you are officially out of time. Enforcement is…

Compliance · Credibility 92/100 · October 1, 2025

NYDFS Cybersecurity amendment deadline nears

NYDFS cybersecurity deadline recap: All amended 23 NYCRR 500 requirements should now be implemented. If you are a covered financial institution that missed the November 2025 deadline, you are facing enforcement risk.…

Compliance · Credibility 89/100 · October 30, 2023

U.S. AI Executive Order

U.S. Executive Order 14110 commands federal agencies and critical sectors to institute AI safety governance, phased setup, and DSAR-aligned transparency around model evaluations, data usage, and rights to contest…

Compliance · Credibility 71/100 · October 30, 2023

SEC charges SolarWinds and CISO over cyber risk disclosures

The SEC just charged SolarWinds and its CISO personally for misleading investors about cybersecurity. The complaint alleges the company knew its security was weaker than what it told investors, and the CISO is being held…

Compliance · Credibility 87/100 · October 26, 2023

Economic Crime and Corporate Transparency Act

The UK's Economic Crime and Corporate Transparency Act reformed Companies House with identity verification, register of overseas entities, and failure to prevent fraud offense. Shell companies just got harder to abuse.

Continue in the Compliance pillar

Return to the hub for curated research and deep-dive guides.

Visit pillar hub

Latest guides

• Third-Party Risk Oversight Playbook

  Operationalize OCC, Federal Reserve, EBA, and MAS outsourcing expectations with lifecycle controls, continuous monitoring, and board reporting.

• Compliance Operations Control Room

  Implement cross-border compliance operations that satisfy Sarbanes-Oxley, DOJ guidance, EU DORA, and MAS TRM requirements with verifiable evidence flows.

• ESG Assurance Operating Guide

  Deploy credible ESG assurance across CSRD, SEC climate disclosure, and ISSA 5000 requirements with regulator-aligned controls, data governance, and audit-ready evidence.

Coverage intelligence

Published

November 1, 2023

Coverage pillar

Compliance

Source credibility

91/100 — high confidence

Topics

NYDFS Cybersecurity Regulation · Ransomware reporting · Class A requirements · Cyber governance

Sources cited

3 sources (dfs.ny.gov, iso.org)

Reading time

6 min

Documentation

1. NYDFS finalizes second amendment to Cybersecurity Regulation — New York State Department of Financial Services
2. Second Amendment to 23 NYCRR 500 — New York State Department of Financial Services
3. ISO 37301:2021 — Compliance Management Systems — International Organization for Standardization