Now that the final regulations are out, and it will be effective starting March 1, 2017, if you are looking for an executive summary of the regulations, and if you are curious  about what changed between  the draft and the final one - here we go.

As a summary - The 1st draft of the New York Department of Financial Services (NYDFS) Cyber Security regulation was released in September 2016, targeting the information and data security domain of financial services companies in NY.

It was kept open to public comments and feedback for 3 months, and the final regulation was published on December 28, 2016. It is going to be effective on March 1, 2017. Period.

One of the biggest concerns was that the regulation had not taken the size of the organizations into account. Some of the original requirements would have been costly for smaller organizations. The good news is that NYDFS has taken those concerns into account and provided different options to accomplish them in the final regulation. 

There are 23 sections in total under main section 500. We will not go through the complete regulation here. You can check out our earlier blog posts here (updated now with the latest changes)

Part 1 - 500.01 to 500.08

Part 2 - 500.09 to 500.17

The following were the 4 major changes to the original draft. (for the ones who care)

500.4. CISO can be from a 3rd Party Service Provider and you can adopt their Cyber Security Program (earlier you or your affiliate needed to hire a CISO and setup a Program)

500.5  Vulnerabilities Scan has got reduced to Half Yearly (earlier it was Quarterly).  Penetration Testing remains same at Yearly. 

500.6. Audit Trail data now has to be maintained only for 5 years (earlier it was 6 years)

500.9. Risk Assessments should be done on a periodic basis as per the policy you setup (earlier it was supposed to be done Annually)


In addition, they have added these 6  new sections that are related to helping implement the regulations,  as below (Part 3 - 500.18 to 500.23)