The New York Department of Financial Services (NYDFS)’s “first-in-the-nation” cybersecurity regulation (“the Regulation”), 23 NYCRR 500, became effective March 1, 2017. The Regulation was designed to “promote the protection of customer information as well as the information technology systems of regulated entities.” 23 NYCRR 500.00.

Although the Regulation includes some limited exemptions, even those exemptions still require entities and individuals licensed by NYDFS (“Covered Entities”)—essentially, banks, insurers and other financial services firms located in and outside of New York—to implement certain cybersecurity programs and practices consistent with the Regulation, including risk assessments and controls for third-party service providers (TPSPs) under section 500.11 of the Regulation.