NY DFS 23 NYCRR 500 Compliance

What is the New York Cybersecurity Regulation?

23 NYCRR Part 500 Financial Services Law The Department of Financial Services, (DFS), has broad authority to take appropriate actions to ensure providers of financial products and services to NY consumers remain solvent, protect consumers, and act reasonably to protect against financial fraud, criminal abuse, and unethical conduct.  With Cybercrime on the rise, the DFS proposed new Cybersecurity Requirements for Financial Services Companies, which are designed to ensure safe and sound operations of Financial Providers, and protect New York’s consumers. Covered entities include but are not limited to, Banks, Lenders, Insurance Companies.  To see if your classification of business is affected, click here.

The proposed rule specifically requires what each supervised entity needs to do. This includes the following:

  • Establish a Cybersecurity Program
  • Maintain written Cybersecurity Policies
  • Follow Data Governance and Classification practices
  • Annual Penetration Testing
  • Quarterly Vulnerability Assessments
  • Institution of Log Management
  • Implementation of Access Controls based on “Least Privilege”
  • Development of an Application Security Practice for internally developed applications
  • Annual Risk Assessment
  • Employ Cybersecurity professionals to manage your risks
  • Launch a Third Party Information Security Policy and Risk Management Program
  • Configure Multi-Factor Authentication
  • Implement Record Retention Policies and Procedures
  • Provide Security Awareness Training
  • Institute Data Encryption for data in transit or stored
  • Develop and test a security Incident Response Plan
  • Report on a bi-annual basis to the company’s board or governing body on risks
  • Annually certify your compliance to the DFS