NYDFS cybersecurity: Not just for New York-licensed companies

The discussion surrounding the New York Department of Financial Services’ (NYDFS) Cybersecurity Requirements has largely focused on financial institutions based in New York State, but it’s worth remembering that the Regulation’s influence is not necessarily limited by the state’s borders.

In fact, given that the Regulation applies to any financial institution with a branch in New York, as well as third-party suppliers of New York-based institutions, the NYDFS’s Cybersecurity Requirements will have a national, and even international, influence.

Financial institutions with branches in NY

Even if a Covered Entity – that is to say, an individual or organization that operates under a license, permit, or other authorization under the New York banking law – is not headquartered in New York, it must still comply with the Regulation if it has branches in the state that are under the authority of the NYDFS.

Since many of the world’s largest financial services companies – as well as many national or regional ones – have branches in New York, they will be subject to the Regulation.

Third-party suppliers

The Regulation affects not only financial institutions under the authority of the NYDFS, but also the internal and third-party suppliers and service providers of those companies.

Additionally, affiliates that support or share data platforms and systems with NYDFS-regulated firms must comply with the Regulation.


While the Regulation, in principle, applies to all Covered Entities, the NYDFS provides a number of exceptions. This means that some financial institutions are exempt from certain sections of the Cybersecurity Requirements.

These exemptions are broken down into nine types of entities that fall into five categories.

How to comply with the Cybersecurity Requirements

For advice on achieving compliance with the Cybersecurity Requirements, IT Governance has written a free two-part green paper showing you how the international standard ISO 27001 can be used as a framework to help meet the Regulation’s demands.

Download NYDFS Cybersecurity Requirements – Part 1: The Regulation and the ISO 27001 standard to learn how to simplify the implementation process with ISO 27001.

If you download this green paper, you will also receive Part 2: Mapped Alignment with ISO 27001, which shows you how ISO 27001 provides additional controls to strengthen your cybersecurity posture.