Home
Pricing
Talk to our team
Compliance Hub

NY DFS Incident Response Requirements

Espresso Labs Team
3 min read
NY DFS Incident Response Requirements

23 NYCRR 500 has some of the most specific incident response and breach notification requirements of any state cybersecurity regulation. The 2023 amendments tightened these rules and added new ransomware reporting obligations. Understanding these requirements — and having systems in place to meet them — is essential for any covered entity.

Written Incident Response Plan (IRP)

Every covered entity must maintain a written incident response plan that addresses:

  • Internal processes for responding to cybersecurity events
  • Roles and responsibilities of each function and individual during an incident
  • Internal communications including escalation procedures
  • External communications including notifications to regulators, customers, and other affected parties
  • Evidence collection and preservation procedures
  • Remediation and recovery procedures
  • Post-incident review process to improve future response

The plan must be tested at least annually. A tabletop exercise — where your team walks through a realistic incident scenario — is the most common form of testing and is well-regarded by DFS examiners.

72-Hour Notification to DFS

Covered entities must notify the DFS Superintendent within 72 hours of determining that a “cybersecurity event” has occurred. A cybersecurity event is defined as any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt, or misuse an information system or the information stored on such system.

This notification requirement is among the strictest in the country. The 72-hour clock starts when you determine that a cybersecurity event has occurred — not when the event started, and not when it was fully investigated. If you have reasonable grounds to believe an event is occurring, the clock is running.

What to include in the notification:

  • Nature of the cybersecurity event
  • Approximate date of occurrence
  • Systems and data impacted
  • Whether it affected customers’ NPI
  • Remediation steps underway

You do not need to have a complete investigation before notifying — the DFS expects notification within 72 hours with available information, followed by updates as more becomes known.

Ransomware Reporting

The 2023 amendments added specific ransomware notification requirements:

  • Within 24 hours: Notify the DFS if you make any ransomware payment
  • Within 30 days: Submit a written report explaining the reasons for the payment, alternatives considered, and any sanctions compliance analysis conducted

This is a significant change from prior practice. Covered entities that pay ransomware must disclose that payment quickly — even if the incident itself wasn’t otherwise reportable.

When Notification Is NOT Required

Not every security incident requires DFS notification. A covered entity is not required to notify if:

  1. The event does not impact the covered entity’s information systems or NPI (for example, a phishing email that was blocked before any systems were compromised)
  2. The event is a failed attempt with no impact on systems or data

However, determining whether an event meets the notification threshold requires rapid assessment — which requires good monitoring, detection, and investigation capabilities.

Annual IRP Testing

Once a year, covered entities must test their incident response plan. Testing can take the form of:

  • Tabletop exercises: Team walks through a hypothetical incident scenario to identify gaps in the plan and test coordination
  • Simulated incident: A more active exercise that includes technical simulation components
  • After-action reviews: Following a real incident, a structured review of how the plan performed

Test results must be documented and maintained as evidence for the annual certification process.

How Espresso Labs Helps

Espresso Labs provides 24/7 monitoring and incident detection as part of our managed service. When an event occurs, we triage it, assess its notification threshold, and help initiate the regulatory notification process within the required timeline. We also maintain and annually test an incident response plan for our clients, so there’s no scramble when an event happens. Contact us to learn how we handle incident response for NY DFS-covered clients.

Ready to Get Started?

CMMC compliance does not have to require a large internal team or a 6-figure budget. Espresso Labs delivers it as an automated, managed service so you can focus on winning contracts, not managing controls.

Talk to our team