NYDFS oversees approximately 4,400 entities with assets of about $6.2 trillion

Framework Snapshot

The New York Department of Financial Services (NYDFS) oversees approximately 4,400 entities with assets of about $6.2 trillion. With protection as their objective, NYDFS has imposed a cybersecurity regulation requirement for financial institutions operating under NYDFS licensure, registration, or charter. Examples of covered entities include state-chartered banks, licensed lenders, private bankers, foreign banks licensed to operate in New York, mortgage companies, insurance companies and service providers. Limited exemptions are available for small organizations.

The NYDFS does not require a specific standard or framework for use in the risk assessment process. Rather, it advises covered entities to implement a framework and methodology that best aligns with their risk and operations. Two widely adopted frameworks by NYDFS Covered Entities are the FFIEC Cyber Assessment Tool and NIST CSF.

NYDFS Automation: Compliance for Less

The SureShield platform simplifies NYDFS compliance by automating technical controls and guiding you through operational controls. SureShield’s automation will reduce your overall NYDFS compliance cost by up to 70% when compared to traditional, labor-intensive compliance methods. For organizations requiring compliance to multiple frameworks, crosswalk automation drives cost savings up toward 90%.

NYDFS Regulation Requirements


    *Required fields

    Goal of the NYDFS Cybersecurity Regulation

    Safeguard Sensitive Customer Data

    NYDFS focuses on protecting the data of customers of financial institutions with branches in NY, third-party suppliers, like banks.

    Promote Integrity Of IT Systems

    NYDFS requires supervised entities to assess their risk profiles and implement a comprehensive plan to recognize and mitigate that risk.

    Build A Robust Financial System

    NYDFS aims to build a financial system that’s equitable, transparent, and resilient.

    A cybersecurity program that complies with the NYDFS cybersecurity regulation will address these specific program elements. The NYDFS conducts regular examinations to evaluate its regulated entities for cybersecurity risk exposure based on past performance, certifications, assessments, cyber events, questionnaires, and other metrics.

    • Cybersecurity policy design: Information security, access controls, disaster recovery planning, systems and network security, customer data privacy, and regular risk assessments
    • Reporting procedures: Cyber security policies and procedures, security risks, effectiveness of current cybersecurity measures
    • Program development: Audit trail, documentation, data retention policy, encryption, and other robust security control measures
    • Third party security: Risk assessment of third-party service providers, third-party security requirements, process for evaluating effectiveness of third-party security practices, and periodic assessments of third-part policies and controls

    Activate NYDFS framework


    Install scanner for compliance evidence gathering


    Review baseline evidence to score compliance control status


    Close compliance gaps


    Ongoing compliance and gap surveillance


    Enforced maintenance of compliance readiness

    Free COMPLiANCE Assessment

    Do you need help assessing your compliance readiness? Learn how our automated crosswalk technology will dramatically reduce your labor requirements. Schedule your free consulting session, up to 1 hour.