New York Department of Financial Services (NYDFS) 

The state of New York Department of Financial Services (“NYDFS”) finalized its new cybersecurity rule (“23 NYCRR 500”) which creates new information security requirements for a “Covered Entity” under NYDFS supervision. This new detailed regulation includes requirements to appoint a Chief Information Security Officer (“CISO”), to implement and maintain a written cybersecurity policy, and Governance of a cyber security program. 

CyberSecOP provides a Virtual CISO security program, which helps our client to quickly comply with the NYDFS mandates, protecting our clients from fines from New York Department of Financial Services NYDFS.

We accomplish the above by assigning an executive level CISO to create a NYDFS strategic plan which aligned with the company budgets and goals.  



Cyber attacks have being growing and New York State Department of Financial Services understand this is a growing problem, In response to the increasing cyber security threat posed to information and financial systems, the New York State Department of Financial Services (NYDFS) has passed the State of New York’s Cyber security Requirements for Financial Services Companies (23 NYCRR 500). This law took effect on March 1, 2017 in an effort to protect customer information, as well as the IT systems of regulated entities.

What is NYDFS 23 NYCRR 500?

23 NYCRR 500 is a cybersecurity regulation passed by the New York State Department of Financial Services (NYDFS) in early 2017. According to their website, the purpose of the NYDFS cybersecurity regulations is to “promote the protection of customer information as well as the information technology systems of related entities.”

The New York cybersecurity regulations are applicable to all companies under NYDFS supervision, including state-chartered banks, charitable foundations, credit unions, insurance companies, etc.

To follow the NYDFS cybersecurity regulations, companies are now required to “assess its specific risk profile and design a program that addresses its risks in a robust fashion.” Additionally, senior management must “be responsible for the organization’s cybersecurity program and file an annual certification confirming compliance with this regulations.”

Specific NYDFS 23 NYCRR 500 cybersecurity requirements include (but are not limited to):  

  • NYDFS Risk assessments to inform the program’s design

  • NYDFS Identification and assessment of external cybersecurity risks

  • NYDFS Controls, policies, and procedures for mitigating those risks

  • NYDFS Fulfillment of regulatory reporting requirements

  • NYDFS Chief Information Security Officer (CISO)

  • Data Governance and Classification

NYDFS High Level Requirement 

  • Establish a cybersecurity program

  • Implement and maintain a written cybersecurity policy

  • Designate a CISO

  • Implement an audit trail

  • Utilize access privileges

  • Evaluate, assess, and test security of in-house and external technology applications

  • Conduct a periodic risk assessment

  • Ensure cybersecurity personnel are properly trained and qualified

  • Establish policies and procedures to protect nonpublic information held by third party service providers

  • Implement multi-factor or risk-based authentication

  • Ensure secure disposal on a periodic basis of any nonpublic information

  • Monitor and train all firm personnel

  • Encryption of nonpublic information

  • Establish a written incident response plan

  • Notify the superintendent regarding any cybersecurity event within 72 hours

For more link on NYDFS Cybersecurity Regulation Consulting Services