New York State cybersecurity regulations for financial institutions

08 December 2017

Special feature form JLT Consortium Partner Crowdstrike

On March 1, 2017, New York State put new cybersecurity requirements into effect for financial services organisations. They are some of the most stringent regulations of this kind to date, but you shouldn’t assume that that they only apply to entities headquartered in New York State.

Officially known as The New York State Department of Financial Services (NYDFS) Cybersecurity Requirements for Financial Services Companies, they are a set of rules that apply directly to those businesses that are supervised by the NYDFS. This includes any entity operating under the jurisdiction of New York banking, insurance, and financial services law and headquartered within the state. However, these regulatory rules also apply to third-party service providers and application vendors that may have their headquarters elsewhere.

The following are just some of the regulations to which “covered entities” must comply unless otherwise stated below. Failure to comply can result in steep fines or civil penalties:

Cybersecurity programme: you must show evidence (documentation) that you have a cybersecurity programme in place and that it is sufficient to protect the confidentiality, integrity and availability of your information systems. Your programme must be informed by a risk assessment, which is also mandated by these regulations.

Cybersecurity policy and incident response plan: you must write and maintain both a cybersecurity policy that addresses the areas specified in the risk assessment and a detailed incident response plan.

Third-party service personnel policy and training: requires that a covered entity not only establish policies that ensure due diligence and contractual protections for third-party engagements, but also provide established minimum security practices to which third parties must adhere.

Penetration testing and validity assessments: this is another requirement based on your risk assessment, validating that you monitor and test the effectiveness of your cybersecurity programme.
You must either ensure continuous monitoring or establish periodic pen testing and vulnerability assessments. CrowdStrike recommends both.

Encryption of non-public information: this rule requires that controls, including encryption, based on your risk assessment, must protect non-public data both in transit over external networks and at rest.

These are some, but not all, of the rules stipulated in this legislation and financial institutions should be sure to first establish whether it or any of its products, services, or locations may be one of the covered entities subject to the regulation.


The good news is that CrowdStrike offers a robust range of products and services that can both assist you in complying with many of the requirements in these new regulations.

For example, we can assist with Cybersecurity assessments: our experts perform several types of assessments that help organisations understand their risks and develop plans of action to address the areas of greatest concern. These include risk assessments that examine the likelihood and impact of potential attacks on different assets, as well as maturity assessments that help ensure an organisation has the appropriate people, processes and technologies in place to address the level of risk they face. Learn rel="noopener noreferrer" more

While compliance with these new cybersecurity regulations is the end goal, all organisations should be preparing to stop the next attack on a regular, continual basis. Leveraging the expertise and technical advantages of CrowdStrike services and the Falcon platform will empower your organisation to do just that: Our team will help you identify any gaps in your people, processes and technology, so you can take the necessary steps to address any identified issues. Learn more

Download Cyber Decoder

For further information, please contact Sarah Stephens, Head of Cyber, Content and New Technology Risks on