New York State DFS Mandate and GDPR Mandate – What we can learn

Takeaways from NYS DFS and GDPR Mandates …
While we are referencing two specific mandates (one for NYS and one that is global), all states have their own regulations in place to protect data and require organizations to report data breaches. This will continue to expand beyond the financial and medical industries and also across state and country borders. Below are some baseline practices all businesses should begin implementing.
Here is a quick definition of the NYS DFS Mandate and the GDPR Mandate:
- New York’s Department of Financial Services (DFS) – called “23 NYCRR 500” is intended for financial organizations.
- General Data Protection Regulation (GDPR) – Regulation intended on strengthening and unifying data protection for all individuals within the EU.
Here is a list of key takeaways that these mandates enforce:
- Policies and Training – the easiest and least-costly action for any business is to institute a cybersecurity policy. This would include rules and training for any employee on the following topics:
- BYOD Policy – if bringing your own device to the workplace, policy for proper usage.
- Password Policy – strength of passwords, change interval and historical retention.
- Acceptable Use Policy – how the company data can be used and shared.
- Remote Access Policy – requirements for users working from home.
- Patch Management Policy – defines how software patches are installed and when
- Security Awareness and Training – bringing in experts to train and inform staff on how to best do their jobs and protect company data.
- Having an Information Security Plan – just like a mini business plan, there should be an all-encompassing program defining how your organization will remain up-to-date on security.
- Technologies that will help:
- Encryption – any device that has confidential data stored on it should be encrypted. Email communication that contains any sensitive data should also be encrypted
- Antivirus / AntiMalware – make sure you are not using Microsoft Security Essentials and Defender. Put in place a managed solution with a portal showing statuses of all viruses and updates
- Backup and Disaster Recovery Plan – have the difficult discussions about what happens if your key applications were to go down or worse, your equipment or facility. Determine the Return to Operations timeline (RTO) to identify when you have to have these applications back online.
- Vulnerability Scanning – software is available to scan your network and external connection for any known vulnerabilities.
- Patch Management – there is software available that can update Microsoft Windows and other applications in a controlled manner with patches released for security.
- Multifactor Authentication – ensuring that logging into critical systems includes something you know and something you have. This requires a username/password and additional proof with a key fob or text to cell phone.
Just like any major change, it is important to have a plan to continuously improve over time. You could address training and policies first, implement Disaster Recovery (to recover if something does happen) and then slowly address each point over time.

Related Insights
Is your business truly protected 24/7?
March 24, 2025
Is your business truly protected 24/7? A SIEM (Security Information and Event Management) solution is more than just a compliance tool—it’s a crucial asset for business security. ✅ Detect threats early, whether… Read more
Anti-Virus Software vs. Endpoint Detection and Response
February 26, 2025
Is your business still relying on outdated anti-virus software security? Traditional antivirus only stops known threats. EDR uses AI and real-time monitoring to detect and stop attacks before they spread, even if… Read more
Microsoft is officially ending support for Windows 10 on October 14, 2025
February 24, 2025
Microsoft is officially ending support for Windows 10 on October 14, 2025. That might seem far off but the time to start planning is now. Here’s why this matters: No more security… Read more