author photo
By Shawn E. Tuma
Wed | Nov 30, 2016 | 8:04 AM PST

Note: This is the second post in a multi-part series about compliance with the New York Department of Financial Services Cybersecurity Regulations for businesses in and out of New York and the financial services industry. Overall, this series will serve as a guide for understanding how the NYDFS Cybersecurity Regulations will likely impact your business. Review Part 1 here.

This post explores the expansive meaning of companies that are regulated by the NYDFS Cybersecurity Regulations and explains why that group is much larger than most would intuitively believe when thinking of companies regulated by a department of “financial services.”

The cybersecurity threat is ubiquitous, and no industry or region is immune from the risks it poses. Recognizing the seriousness of this risk, the New York Department of Financial Services developed Proposed Cybersecurity Requirements for Financial Services Companies (the “Cybersecurity Regulations”) that were released for comment on September 13, 2016. The Cybersecurity Regulations go into effect on January 1, 2017 and full enforcement begins on July 1, 2017.

What is a Covered Entity?

The NYDFS Cybersecurity Regulations apply to what they define as Covered Entities. Covered Entity means any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the banking law, the insurance law or the financial services law.[1] Put simply, a Covered Entity is any entity regulated by the NYDFS.

History of the NYDFS

The New York Department of Financial Services was created by the Financial Services Law in 2011 and was a consolidation of the previous New York State Banking Department and New York State Insurance Department, which were abolished. This marked a substantial change because the Banking Department was originally created in 1851 and traced its roots back to 1791, being the oldest bank regulatory agency in the nation, and the Insurance Department was originally created in 1849.

The purpose for this consolidation was to modernize regulation by allowing a single agency to oversee a broader array of financial products and services.[2]

What is the purpose of the NYDFS?

The mission of the NYDFS is to “reform the regulation of financial services in New York to keep pace with the rapid and dynamic evolution of these industries, to guard against financial crises and to protect consumers and markets from fraud.” It does this through its authority to take any actions necessary to:

  • foster the growth of the financial industry in New York and spur state economic development through judicious regulation and vigilant supervision;
  • ensure the continued solvency, safety, soundness and prudent conduct of the providers of financial products and services;
  • ensure fair, timely and equitable fulfillment of the financial obligations of such providers;
  • protect users of financial products and services from financially impaired or insolvent providers of such services;
  • encourage high standards of honesty, transparency, fair business practices and public responsibility;
  • eliminate financial fraud, other criminal abuse and unethical conduct in the industry; and
  • educate and protect users of financial products and services and ensure that users are provided with timely and understandable information to make responsible decisions about financial products and services.[3]

By requiring adequate cybersecurity safeguards for companies that play a role in the financial industry, the NYDFS is fulfilling multiple aspects of its policy objectives.

Companies that are directly regulated

The NYDFS’ reach is expansive in looking only at the companies that it regulates directly.[4] As expected, this includes banks and trust companies, credit unions, foreign bank branches, licensed lenders, health insurers, life insurance companies, property and casualty insurance companies, and savings and loan associations.

There are many more companies that may not be so easily expected:

  • Bail Bond Agents
  • Budget Planners
  • Charitable Foundations
  • Check Cashers
  • Holding Companies
  • Investment Companies
  • Money Transmitters
  • New York State Regulated Corporations (“New York State Regulated Corporations are business entities that are formed and incorporated by the State of New York through legislative acts and placed under the regulatory supervision of the Superintendent.”)
  • Service Contract Providers (“Any person or entity who sells or administers a service contract, and who is contractually obligated to provide service under the service contract.”)

The last two mentioned, New York State Regulated Corporations and Service Contract Providers, are extremely expansive and have the potential to pull many companies within the scope of being directly regulated by the NYDFS without those companies fully appreciating the implications. Here is a complete list of the companies directly regulated by the NYDFS.[5]

Companies that are indirectly regulated: third-party service providers

The reach of the NYDFS’ Cybersecurity Regulations will expand far beyond the companies that it directly regulates to include, to a certain degree, those companies that do business with them. Section 500.11 of the Cybersecurity Regulations specifically addresses the cybersecurity of such third parties and requires Covered Entities to obtain satisfactory assurances that those they do business with have adequate cybersecurity safeguards.

When thinking about one of the objectives of the Cybersecurity Regulations, as well as most other cybersecurity and privacy policies and frameworks, it is to protect the confidentiality, integrity, and accessibility of the information and computer systems. This requires protecting the information at all times, wherever it may be, and with whoever may have possession of it. This also requires having protections in place for all systems that will interact with the Covered Entities’ network.

By implementing these third-party requirements, the NYDFS is trying to ensure that a Covered Entity's information is protected the same way by third parties who may receive the information as is it is when it is in the custody of the Covered Entity. This is the same method that is used under HIPAA[6] for protecting protected health information that is transferred from a Covered Entity under that framework, to a Business Associate. In essence, this means that third-party business partners are becoming business associates.

The Cybersecurity Regulations require “each Covered Entity [to] implement written policies and procedures designed to ensure the security of Information Systems and Nonpublic Information that are accessible to, or held by, third parties doing business with the Covered Entity.[7] The cybersecurity requirements of such business associates do not require everything that is required of a Covered Entity; however, they do require most features, make it a requirement for their contracts, and require cybersecurity audits. The specific details of such policies and procedures will be addressed in future posts in this series.

Limited exemption for Covered Entities

Covered Entities that meet the following criteria are exempted from some of the requirements of the Cybersecurity Regulations[8]:

  • Have fewer than 1,000 customers in each of the last three calendar years;
  • Have less than $5 million in gross revenue in each of the last three fiscal years; and
  • Have less than $10 million in year-end assets are exempted from some, but not all, requirements of the Cybersecurity Regulations.

The details of this exemption will be discussed in more depth in future posts in this series.

Please check back soon for the third post in this series for an in-depth examination of the specific features of the cybersecurity program that is required by the Cybersecurity Regulations. If you would like to read more about the Cybersecurity Regulations, Richard Santalesa has written an excellent overall summary, and the NYDFS has made available both an outline and full text of the Cybersecurity Regulations.

[1] NYDFS Cybersecurity Regulations, Section 5001.01(c).

[2] NYDFS: History, New York Department of Financial Services,

[3] NYDFS: Policy, New York Department of Financial Services,

[4] NYDFS: Who We Supervise, New York Department of Financial Services,; Title 3 Banking, New York Codes, Rules and Regulations

[5] See New York Banking Law, FindLaw

[6] The Health Insurance Portability and Accountability Act of 1996. Pub. L. 104-191. Stat. 1936. Web. 11 Aug. 2014.

[7] NYDFS Cybersecurity Regulations, Section 5001.11.

[8] NYDFS Cybersecurity Regulations, Section 5001.18.

Tags: GRC,