NY DFS COMPLIANCE FOR DUMMIES 
Get A FREE No-Obligation Technology and DFS Assessment

LIMITED EXEMPT COMPANIES

In November 2023, New York updated its cybersecurity law, NY DFS 23 NYCRR 500, affecting all financial firms in the state, and those financial companies nationwide with customers from New York.
With the April 15th compliance deadline near, it’s important to understand and apply these new changes.

What do you need to comply with?

The amendments have expanded the number of companies that now qualify for Limited Exempt status. However, the amount of cybersecurity requirements has now increased.

Qualification for Limited Exempt 2024

  1. fewer than 20 employees and independent contractors of the covered entity and its affiliates.
  2. less than $7,500,000 in gross annual revenue in each of the last [3] three fiscal years from all business operations of the covered entity and the business operations in this State of the covered entity’s affiliates; or
  3. less than $15,000,000 in year-end total assets, calculated in accordance with generally accepted accounting principles, including assets of all affiliates.

BEFORE:

500.02 Cybersecurity Program

  • Develop and maintain a robust cybersecurity program

500.03 Cybersecurity Policy

  • Implement a comprehensive cybersecurity policy

500.07 Access Privileges

  • Regulate employee access

500.09 Risk Assessment

  • Institute procedures to assess and test the security of externally developed applications.

500.11 Third Party Service Provider Security Policy

  • Implement policies and procedures to ensure the security of information held by third-party service providers

500.13 Limitations on Data Retention

  • Procedure for how and when PII (Personally Identifiable Information) data is disposed of

500.17 Notices to Superintendent

  • Be able to file reporting within 72 hours of data breach or hack

500.18 – 500.23

  • Confidentiality, Enforcements, Dates, Periods, Severability.

NEW REQUIREMENTS AS OF NOV 2023:

500.02 Cybersecurity Program

  • Develop and maintain a robust cybersecurity program
  • Document own cyber program and cyber programs by affiliates

500.03 Cybersecurity Policy

  • Implement a comprehensive cybersecurity policy based on risk assessments
  • Maintained and implemented by employee or third-party with adequate experience
  • Incident response, notification, vulnerability management
  • Asset Inventory and Device Management, including end of life management
  • Network Monitoring
  • Security Awareness and training

500.07 Access Privileges

  • Regulate employee access
  • Multifactor Authentication implementation
  • Remote devices securely configured or disabled
  • Proper termination of accounts and access following departures

500.09 Risk Assessment

  • Institute procedures to assess and test the security of internal and external applications
  • Must be updated annually, AND any time a change in business or technology impacts cyber risk
  • Impact assessment must be conducted
  • Tailored to specific company circumstances for testing

500.11 Third Party Service Provider Security Policy

  • Implement policies and procedures to ensure the security of information held by third-party providers
  • Risk assess third party providers, repeated periodically
  • Policy for third party provider to utilize Multi-Factor Authentication and Encryption
  • Periodically verify third party providers cybersecurity and policy requirements

500.12 MFA (Multi Factor Authentication) Multifactor Authentication

  • MFA (Token or App based) implemented for local and remote access to systems

500.13 Access Management and Data Retention

  • Written policies and procedures for complete and accurate documentation of all assets Owner, Location, Classification, Support Expiration Date, Recovery Time Objectives, Update Frequency
  • Policies and procedures for secure asset disposal

500.14 Monitoring and Training

  • Periodic, at least annual, cybersecurity awareness training that includes social engineering

500.17 Notices to Superintendent

  • Be able to file reporting within 72 hours of data breach or hack under expanded “events”, including third party providers or affiliates 24 hour reporting of extortion payments
  • 30 day reporting explaining why payment was necessary and what alternatives were considered

500.17 Continued – Proof of Compliance

  • Written statement certifying DFS compliance with ALL requirements, demonstrated by data and document proof
  • Written statement failing DFS compliance, where and why compliance was not achieved, timeline for remediation
  • Produce documentation of compliance upon request to the Superintendent

500.20 Enforcement

  • Any failure of any requirement for 24 hour period, and failure to secure or prevent unauthorized access is NON-Compliance

500.20(c) Penalty for Violations

  • Determined by the Superintendent based on 16 new factors

500.18 – 500.24

  • General Confidentiality, Enforcements, Dates, Periods, Severability
DFS COMPLIANCE DONE FOR YOU2

Let us handle all of the paperwork and implementation that will bring your company into Full DFS Compliance, alongside technical optimization so you run more smoothly than ever before.

Hand off the stress and frustration of DFS Compliance to an expert Cybersecurity and Compliance Team that works specifically with companies like yours and understands your unique day to day business operations and technical needs.

Start with a FREE No-Nonsense Technology and DFS Compliance Assessment to gain the knowledge of where you stand and what you need. You also need one for certifying proof of DFS Compliance so it’s two birds with one stone – knowledge and power.


Claim your FREE No-Nonsense Technology and DFS Compliance Asssessment by CLICKING HERE.

5 Biggest Changes
to DFS Law 

Multi Factor Authentication

  • Utilize MFA for local access to laptops and computers
  • Remote access, Office 365 and More
  • App or Token Based MFA preferred, Text-Based is no longer secure or recommended

Endpoint Security

  • Endpoint security is a cybersecurity approach that focuses on protecting individual devices, such as computers, smartphones, and servers, from various cyber threats like malware and unauthorized access.
  • It encompasses a combination of measures such firewalls, and intrusion detection systems to secure these devices and safeguard an organization's data and network integrity.

Asset Management and Application Control

  • Must be able to track owner, location, sensitivity, support expiration date, and recovery time objectives for EACH asset (laptop, phone, pc)
  • Regularly update and validate the asset inventory
  • Policy for secure disposal of nonpublic information
  • Have in place the ability to scan and detect malicious applications and prevent them from being installed to systems.

Penetration Testing

  • By simulating real-world cyberattacks, it provides a critical means for agencies to discover and rectify security weaknesses, ultimately improving overall security posture, reducing the risk of breaches, and safeguarding sensitive data and customer trust.

PROOF OF CYBERSECURITY IMPLEMENTATION

  • Certifies entity complied during prior calendar year
  • Must provide data and documentation to accurately demonstrate compliance in the form of reports, certifications or otherwise
  • Signed by CISO (Chief Information Security Officer) and CEO responsible

NEW ENFORCEMENT RULE

500.20 Enforcement: Any failure of any requirement for 24 hour period, and failure to
secure or prevent unauthorized access is NON-Compliance
There is no “full exemption” of the law, only limited exempt and not exempt at all. 

Compliance Filing Deadline

All entities must file Certification of Compliance and Proof by April 15th, 2024.

  • 00Days
  • 00Hours
  • 00Minutes
  • 00Seconds
Entities must now also report to DFS where they are NOT in compliance

Entities must now also report to DFS where they are NOT in compliance, why they were not in compliance, a proof of plan for coming into compliance for those failings, and a date of which those compliance items will be implemented.

Our Free Compliance Assessment Will Give You The
Answers You Want, The Certainty You Need.

This Assessment will provide verification from a Qualified Third Party on your NY DFS Compliance posture, whether or not your current IT company is doing everything they should be, and if your business is at serious risk for hacker attacks, data loss and extended downtime, as well as how to solve these issues.

Walter Contreras, registered NY DFS instructor, Cybersecurity expert, and CEO of Motiva Networks understands how the world’s digital transformation is impacting small to medium sized businesses. With over 25 years of experience in information technology and cybersecurity, his vision is clear – safeguarding and strengthening the digital backbone of business owners.

Walter Contreras photo