In my previous post, I discussed what data privacy is and why it’s important? In my post today I want to discuss data privacy laws, specifically involving New York State Department of Financial Services (NYDFS) 23 NYCRR 500.
The New York State Department of Financial Services (NYDFS) 23 NYCRR 500 is a set of regulations that place cybersecurity requirements on all covered financial institutions. The law took effect on March 1, 2017 and outlines the requirements for developing and implementing an effective cybersecurity program, requiring covered institutions to assess their cybersecurity risks and develop plans to proactively address those risks.
Who is Affected?
The NYSDFS cybersecurity regulation applies to all entities operating under or required to operate under DFS licensure, registration, or charter, or which are otherwise DFS-regulated, as well as, by extension, unregulated third-party service providers to regulated entities.
Examples of covered entities include:
- State-chartered banks
- Licensed lenders
- Private bankers
- Foreign banks licensed to operate in New York
- Mortgage companies
- Insurance companies
- Service providers
There are few exemptions to the NYDFS cybersecurity regulation. Organizations that employ fewer than 10 people, produced less than $5 million in gross annual revenue from New York operations in each of the past three years, or hold less than $10 million in total year-end assets are exempt from certain requirements of the regulation.
For more information on NYDFS 500 and GDPR laws and regulations on the financial services industry, please download our guide here, or click below.