New York DFS Cybersecurity Regulation

The New York Department of Financial Services Cybersecurity Regulation (23 NYCRR Part 500) went into effect on March 1, 2017. Applicable to certain businesses in financial services industry, this regulation is in response the ongoing and evolving cyber threats originating from sources such as individual threat actors, terrorists, and nation-states – the very threat sources Proofpoint is dedicated to helping our customers defend against. This regulation establishes a set of cybersecurity requirements applicable to those in the financial services and insurance industries, specifically any financial services business or person that is required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the state’s Banking Law, Insurance Law, or the Financial Services Law. Those falling within the scope of the regulation are required to take certain steps, including:

  • Create a cybersecurity program, policy and incident response plan,
  • Establish a CISO that interacts with and advises the board of directors, and
  • Implement multiple data security measures and reporting requirements.


Such practices are intended to defend against the technological vulnerabilities exploited by cybercriminals to gain access to sensitive electronic data within the financial services industry, while promoting the protection of consumer information and the information technology systems that hold such information. Anyone subject to the regulation should carefully assess their own unique risk profile and implement a responsive plan to both protect their customers, their institution, and to comply with the regulations. It is important to keep pace with technological advancements that can assist in these endeavors. Proofpoint is dedicated to serving our customers who are subject to this regulation and offers many products and services that can assist with achieving compliance.

For certain customers, Proofpoint may be considered to be a Third Party Service Provider under the regulation. In those cases Proofpoint is responsible to: (1) use multi-factor authentication with systems holding Non-Public Information (NPI), (2) use encryption (or compensating controls) for data in transit and at rest, (3) notify our regulated customer of a cybersecurity event that directly and adversely affects its NPI, and (4) represent and warrant our security commitments. The Proofpoint Trust site is a regularly updated resource that provides information about Proofpoint’s use and protection of customer data. Proofpoint’s Security Policy (found on the Trust site) goes into detail regarding the security practices applied to customer data, breach notification, use of subprocessors, and rights to audit and can help customers and potential customers understand the cybersecurity practices that Proofpoint follows to protect our customer’s data.

© 2024. All rights reserved. The content on this site is intended for informational purposes only.
Last updated May 15, 2024.

Proofpoint Trust

Proofpoint helps companies protect their people from the ever-evolving threats in the digital ecosystem.