NYDFS cybersecurity: What it means for law firms

(A version of this blog was originally published on April 19, 2017.)

The discussion surrounding the New York Department of Financial Services’ (NYDFS) Cybersecurity Requirements has largely focused on financial institutions based in New York State. However, it’s worth remembering that the Regulation’s influence is not necessarily limited to the state’s borders – nor should it be limited to financial institutions.

Any legal firm that represents an organization supervised by the NYDFS should consider putting in place a cybersecurity program in line with the Regulation. Although it’s not a legal obligation, law firms hold a huge amount of sensitive data on their clients. As a result, they are increasingly being targeted by cyber criminals.

So, although financial institutions may be shoring up their defenses, law firms could still leave criminals with what Brian Levine, senior counsel at the Department of Justice’s Computer Crime and Intellectual Property Section, described as “a backdoor into their clients’ data.”

Because the Regulation has such a large reach, plenty of law firms will have clients that are affected by the Cybersecurity Requirements. Who does that include?

Financial institutions with branches in NY

Even if a Covered Entity – that is to say, an individual or organization that holds a license, permit, or other authorization under the New York banking law – doesn’t have its headquarters in New York, it must still comply with the Regulation if it has branches in the state that are under the authority of the NYDFS.

Many of the world’s largest financial services companies – as well as numerous national or regional ones – have branches in New York, meaning the Regulation will have a national, and even international, influence.

Third-party suppliers

The Regulation applies not only to financial institutions supervised by the NYDFS, but also to internal and third-party suppliers and service providers of those companies.

Additionally, affiliates that support or share data platforms and systems with NYDFS-regulated firms must comply with the Regulation.


While the Regulation, in principle, applies to all Covered Entities, the NYDFS provides a number of exceptions. This means that some financial institutions are exempt from certain sections of the Cybersecurity Requirements.

These exemptions are broken down into nine types of entities that fall into five categories.

How to comply with the Cybersecurity Requirements

If you’re looking to improve your knowledge of the Regulation, you may be interested in our Cybersecurity Requirements Foundation and Lead Implementer training courses.

The New York DFS Cybersecurity & ISO27001 Certified ISMS Foundation Online course shows you how the international standard ISO 27001 aligns with the NYDFS’s requirements.

A more in-depth course, New York Cybersecurity & ISO27001 Certified ISMS Lead Implementer Online, explains how you can lead an ISO 27001 project to help your organization fully comply with the Regulation.

Both courses end with an online examination. If you pass, you will be awarded with an ISO 27001 Certified ISMS Foundation qualification and ISO 27001 Certified Lead Implementer qualification.