Regulatory Context for New York Cybersecurity

New York operates one of the most layered cybersecurity regulatory environments in the United States, drawing authority from state-specific statutes, sector-focused agency rules, and overlapping federal frameworks. This page maps the governing sources, institutional roles, and structural relationships that define compliance obligations for organizations operating within the state. Understanding this landscape is essential for financial institutions, healthcare entities, government agencies, and any business that collects personal data from New York residents.

How the Regulatory Landscape Has Shifted

New York's cybersecurity obligations have expanded substantially since 2017, when the New York Department of Financial Services (NYDFS) issued 23 NYCRR 500 — the first state-level cybersecurity regulation specifically targeting financial services entities. That rule established prescriptive requirements for risk assessments, multi-factor authentication, encryption, and incident reporting, setting a benchmark that influenced subsequent state-level efforts nationwide.

The New York SHIELD Act (Stop Hacks and Improve Electronic Data Security Act), signed into law in 2019, broadened the scope of breach notification requirements under New York General Business Law § 899-aa and added affirmative data security obligations under § 899-bb. Unlike the NYDFS framework, SHIELD Act obligations apply to any business that holds private information about New York residents — regardless of where that business is physically located.

NYDFS amended 23 NYCRR 500 in November 2023, introducing a two-tiered classification system: "Covered Entities" and a new "Class A" designation for larger firms with more than 2,000 employees or over $1 billion in gross annual revenue. Class A companies face stricter requirements including independent audits and enhanced endpoint detection controls. The full text of the amended rule is available through the New York State Register.

A parallel track of enforcement has emerged through the New York Office of the Attorney General (OAG), which has pursued enforcement actions under the SHIELD Act and General Business Law Article 22-A. New York OAG cybersecurity enforcement actions have produced publicly available guidance documents that function as de facto compliance benchmarks.

Governing Sources of Authority

New York cybersecurity law draws from four distinct source types:

1. State statute — New York General Business Law §§ 899-aa and 899-bb (SHIELD Act); New York State Technology Law; and sector-specific provisions embedded in the Insurance Law and Banking Law.
2. Agency regulation — 23 NYCRR 500 (NYDFS); New York State Office of Information Technology Services (ITS) security policies applicable to state agencies.
3. Federal statute and regulation — The Health Insurance Portability and Accountability Act (HIPAA), administered by the U.S. Department of Health and Human Services Office for Civil Rights; the Gramm-Leach-Bliley Act (GLBA); and the Federal Trade Commission (FTC) Safeguards Rule (16 CFR Part 314).
4. Voluntary frameworks — The NIST Cybersecurity Framework (CSF), published by the National Institute of Standards and Technology, is not legally binding in New York but is explicitly referenced in ITS policy documents and OAG guidance as a compliance baseline.

For organizations in the financial sector, NYDFS cybersecurity regulation 23 NYCRR 500 represents the most prescriptive layer of obligation. For healthcare entities, HIPAA's Security Rule (45 CFR Part 164, Subpart C) sets the federal floor while New York healthcare cybersecurity obligations may impose additional state-level requirements through the Department of Health.

Federal vs. State Authority Structure

The federal-state relationship in New York cybersecurity compliance is not simply hierarchical — it is concurrent, sector-dependent, and in certain areas explicitly preemptive.

Where federal law preempts: HIPAA expressly preempts state privacy laws that are less protective, though New York's laws in some respects exceed HIPAA's floor and are therefore preserved. The FTC Act's prohibition on unfair or deceptive acts applies nationwide and cannot be displaced by state law.

Where state law adds obligation: NYDFS 23 NYCRR 500 imposes requirements on covered financial entities that exceed what federal banking regulators mandate — particularly regarding Chief Information Security Officer (CISO) designation, penetration testing intervals, and the 72-hour incident reporting window. The SHIELD Act's data security obligation under § 899-bb has no direct federal counterpart for non-financial, non-healthcare businesses.

Concurrent enforcement: A New York-based financial institution may simultaneously face examination by NYDFS, the Federal Reserve, the Office of the Comptroller of the Currency (OCC), and the Federal Deposit Insurance Corporation (FDIC) — each applying different cybersecurity standards. Coordination between these bodies is addressed in part through the Federal Financial Institutions Examination Council (FFIEC) guidance documents, but gaps and overlaps remain operationally significant.

For a detailed treatment of how these obligations interact at the sector level, New York financial sector cybersecurity maps the specific regulatory chains applicable to banks, insurers, and money transmitters licensed in the state.

Named Bodies and Roles

The primary regulatory and enforcement bodies with jurisdiction over New York cybersecurity are:

• New York Department of Financial Services (NYDFS) — Primary rulemaker and examiner for financial services cybersecurity under 23 NYCRR 500. Enforcement authority includes civil monetary penalties. Website: dfs.ny.gov.
• New York Office of the Attorney General (OAG) — Enforces the SHIELD Act and General Business Law Article 22-A. Issues breach enforcement letters and has subpoena authority for investigations.
• New York State Office of Information Technology Services (ITS) — Sets cybersecurity policy for executive state agencies through the NYS-P03-002 Information Security Policy and related standards. Scope: state agency IT systems only.
• New York Division of Homeland Security and Emergency Services (DHSES) — Coordinates critical infrastructure protection and cyber threat intelligence sharing, including operation of the New York State Cyber Command since 2022.
• U.S. Cybersecurity and Infrastructure Security Agency (CISA) — Federal body whose sector-specific advisories, binding operational directives (for federal entities), and Shields Up guidance inform but do not legally bind private New York organizations.
• Federal Trade Commission (FTC) — Enforces the Safeguards Rule under GLBA against non-bank financial institutions and has broad Section 5 authority over deceptive data security practices.

The New York Security Authority index provides a structured entry point for navigating the full scope of regulatory, compliance, and professional service dimensions documented across this reference property.

Scope and Coverage Limitations

This page addresses the regulatory framework applicable to organizations operating in New York State or holding private information about New York residents. It does not constitute legal advice and does not address the laws of other states or the District of Columbia. Organizations with multistate operations must independently analyze the compliance obligations of each jurisdiction where they hold customer data — New York's SHIELD Act obligations, for example, do not substitute for California Consumer Privacy Act (CCPA) requirements under California Civil Code § 1798.100.

Federal contractors and defense industrial base entities are subject to additional frameworks — including NIST SP 800-171 and the Cybersecurity Maturity Model Certification (CMMC) — that fall outside the scope of state-level New York regulation documented here. Municipal and school district obligations, while grounded in state law, involve distinct compliance pathways addressed separately in New York municipal cybersecurity and New York K-12 education cybersecurity.

References

• New York SHIELD Act — General Business Law §§ 899-aa, 899-bb
• 23 NYCRR 500 — NYDFS Cybersecurity Regulation (2023 Amendment)
• NIST Cybersecurity Framework (CSF) — NIST
• FTC Safeguards Rule — 16 CFR Part 314
• HIPAA Security Rule — 45 CFR Part 164, Subpart C (HHS)
• New York State Office of Information Technology Services — Information Security Policy NYS-P03-002
• CISA — Cybersecurity and Infrastructure Security Agency
• FFIEC Cybersecurity Guidance
• New York Office of the Attorney General — Privacy Enforcement