New York City

New York Cybersecurity Regulations

Clarus Tech Partners Can Develop Your

New York Cybersecurity Programs

& Scan Your Systems for Compliance

New York Shield Act

On July 25, 2019, New York Governor Andrew Cuomo signed into law the Stop Hacks and Improve Electronic Data Security (SHIELD) Act. This law protects consumers’ personal and private information and impacts all New York businesses, as well as businesses in other states, that have access to data of New York residents.

This law is especially impactful on unregulated industries, such as the real estate, retail and certain service industries, which, until now, small businesses in certain U.S. states and countries were not required by law to adopt cybersecurity-related programs.  However, for example, a mid-size New York real estate management company that maintains New York tenant information is now required to develop a Cybersecurity Program among other requirements to protect the data of those tenants.  Similarly, a New York real estate developer who has employee information also needs to comply with the requirements of the NY SHIELD Act.

What Does this Law Include? 

  • The SHIELD law expands the data security and breach notification requirements to cover any business that collects personal or private data of New York residents and not just companies that conduct business in the state of New York.

  • A data breach notification must be sent to any consumer whose data breached potential incidents and breaches will need to be reported to the New York’s Attorney General and Federal Authorities.

  • This law protects personal and private data including: biometric information, personal names, personal identifiers, email addresses, email passwords, email security questions and answers, Social Security numbers, driver’s licenses, ID cards and any financial and account number information including debit and credit card information.  This results in more data elements requiring notification if breached.

Who Does this Law Affect? 

  • Every business that has any employees or customers who live in New York - whether the company is based in another state or another country needs to implement this new policy.

  • Even small businesses, with fewer than 50 employees and less than $3 million in gross annual revenue in the past three years or less than $5 million in year-end total assets, will need to comply with the new regulation.  


What do you need to do to comply?

  • The full law identifies a significant number of steps a business needs to take.  These are the highlights:

    • Develop comprehensive Cybersecurity Policies & Procedures

    • Develop and implement a Cybersecurity Program

    • Appoint a Chief Information Security Officer (CISO), either virtual or in-house individual who is tasked with overseeing the Cybersecurity Program

    • Conduct diligence on all third-party vendors to insure that they have appropriate cybersecurity-related internal controls 

    • Assess risks of information storage and disposal

    • Test and monitor the cyber security controls, systems and procedures

    • Train employees in cybersecurity best practices

When do Companies Need to Comply? 

  • ​Businesses must comply within 240 days of when Governor Cuomo signed the law which is by March 21, 2020.  


What are the Penalties? 

  • Failure to implement a compliant information security program is enforced by the New York State Attorney General and may result in injunctive relief and civil penalties of up to $5,000 for each violation.  The New York State Attorney General can seek up to $250,000 for violations by a company.  


Enacted and regulated by the New York State Department of Financial Services (NYDFS), the new 23 NYCRR 500 Cybersecurity Regulation requires banks, financial services institutions, and insurance companies to create cybersecurity and data privacy compliance programs.

Like many other U.S. and international cybersecurity and data privacy laws, the purpose of this new regulation is to address the heightened level of cyber risks and data breaches that financial services and insurance companies are exposed to and this Cybersecurity Regulation is designed to help protect their customers' confidential information and their information technology systems from cyber attacks.


NYDFS requires that companies assess their cybersecurity risks and design cybersecurity programs that address their risks.  An organization's senior management is designated as responsible for the entity’s cybersecurity program and must file an annual certification with NYDFS confirming compliance with the regulation.

New York Department of Financial Services (NYDFS):

What Does the 23 NYCRR 500 Regulation Require? 

  1. Conduct a Vulnerability Assessment

  2. Establish a Cybersecurity Program

  3. Implement and maintain a written Cybersecurity Policy

  4. Ensure that the proper levels of access are limited to the proper personnel and systems

  5. Designate a qualified Chief Information Security Officer (CISO)

  6. Utilize qualified cybersecurity personnel, an Affiliate or a Third Party Service Provider (TPSP) to manage the cybersecurity risks and oversee the cybersecurity program

  7. Evaluate, assess, and test security of in-house and external technology applications

  8. Conduct annual Penetration Testing and Vulnerability Assessments

  9. Implement multi-factor or risk-based authentication and encryption measures

  10. Ensure cybersecurity personnel are properly trained and qualified

  11. Monitor and train all firm personnel

  12. Establish a written incident response plan

  13. File regulation compliance with the NYDFS

  14. Notify the NYDFS superintendent regarding any cybersecurity event within 72 hours

What Types of Organizations Must Comply?

Banking, insurance, or financial services organizations are the “Covered Entities”.  The NYDFS Cybersecurity Regulation includes any organization that is regulated by the Department of Financial Services and a Covered Entity includes the following:

  • Licensed lenders

  • State-chartered banks

  • Trust companies

  • Service contract providers

  • Financial Service Centers

  • Mortgage Brokers

  • Mortgage companies

  • Private bankers

  • State-chartered banks

  • Trust companies

  • Hedge Funds

  • Check cashers

  • Non-U.S. banks that conduct business in New York

  • Insurance companies doing business in New York

Are There any Exemptions for the 23 NYCRR 500 Regulation?



The regulation provides LIMITED exemptions for organizations with:


  • Fewer than 10 employees, including any independent contractors, or

  • Less than $5 million in gross annual revenue for three years, or

  • Less than $10 million in year-end total assets.


These are limited exemptions and you must still design and implement a cybersecurity program that meets some but not all the regulatory requirements.  This includes submitting an annual Certification of Compliance with the NYDFS.

When Do You Need to Comply?

March 1, 2019

There were phase-in transition periods for different parts of the provisions between 2017 - 2019.


March 1, 2019 – The two-year transitional period ended and Covered Entities are now required to be in compliance with all the regulation requirements.

Clarus Tech Partners,  with an office in New York, has a team of cybersecurity and  data privacy compliance experts and will assess your security risks and design a  cyber program that addresses your specific business needs so your organization will be in compliance with the NY Shield Act and NYDFS Cybersecurity Regulations

schedule your consultation.
Consult with our team of experts at Clarus Tech Partners.  Contact us