<img src="https://ws.zoominfo.com/pixel/4CagHYMZMRWAjWFEK36G" width="1" height="1" style="display: none;">
Request Demo

NY DFS Cybersecurity Guide: 23 NYCRR 500 For Financial Services

Are you a financial services entity in New York State? The NY Department of Financial Services has a new cybersecurity regulation that you need to follow. 

NY DFS Mandate

Your New DFS Cyber Regulation

The NYDFS Cybersecurity Regulation23 NYCRR 500, is a new set of regulations from the NY Department of Financial Services (or NY DFS) mandating new cyber security requirements on all covered financial institutions that have entities in the state of New York. New York 23 NYCRR part 500 compliance can be a daunting lift, especially for those who haven't started to remediate, and even for those who have secured compliance but aren't sure how to continuously prove compliance easily without taking time, effort, and resources away from existing projects.

Governor Cuomo announced that their cyber regulation was the "first in the nation" to protect both consumers and financial institutions. "The regulation requires banks, insurance companies, and other financial services institutions regulated by the State Department of Financial Services" to put into place a continuously manintained cybersecurity program. The program is supposed to be designed to protect consumers that each financial institution serves, and to secure the New York State’s financial services industry this year and beyond as cyber vulnerabilities evolve. This regulation includes everything from appointing a Chief Information Security Officer to implementing two or multi-factor authentication (2FA or MFA). In short, the reg is quite extensive.


According to the New York DFS, "This regulation requires each company to assess its specific risk profile and design a program that addresses its risks in a robust fashion. Senior management must take this issue seriously and be responsible for the organization’s cybersecurity program and file an annual certification confirming compliance with these regulations. A regulated entity’s cybersecurity program must ensure the safety and soundness of the institution and protect its customers."


The New York State Department of Financial Services noted that it's been "closely monitoring" the cybersecurity threats posed to information and financial systems by cyber terrorists and the growing threat of cyber crime. Cybercriminals often aim to exploit the information of financial entities in order to use for illicit purposes. The DFS regulated entities are by no exception exempt from being the target of these attempted hacks and breaches. The financial services industry as a whole is a target, and the DFS noted as well that it "appreciates that many firms have proactively increased their cybersecurity programs with great success." This success along with the threats posed has lead the DFS to mandate the 23 NYCRR part 500 compliance for financial institutions.

Given the seriousness of the issue and the risk to all regulated entities, certain regulatory minimum standards are warranted, while not being overly prescriptive so that cybersecurity programs can match the relevant risks and keep pace with technological advances. Accordingly, this regulation is designed to promote the protection of customer information as well as the information technology systems of regulated entities. This regulation requires each company to assess its specific risk profile and design a program that addresses its risks in a robust fashion. Senior management must take this issue seriously and be responsible for the organization’s cybersecurity program and file an annual certification confirming compliance with these regulations. A regulated entity’s cybersecurity program must ensure the safety and soundness of the institution and protect its customers.

It is critical for all regulated institutions that have not yet done so to move swiftly and urgently to adopt a cybersecurity program and for all regulated entities to be subject to minimum standards with respect to their programs. The number of cyber events has been steadily increasing and estimates of potential risk to our financial services industry are stark. Adoption of the program outlined in these regulations is a priority for New York State.


In Translation... if you are a New York Financial Services entity and wish to continue your operation in the state of NY, it's important that you ensure the safety and soundness of your organization in accordance with the Department of Financial Services cyber security regulation as soon as possible or, as the DFS says, "swiftly and urgently".


More background on the New York Department of Financial Services cyber requirements:

Blog: New York's Financial Cyber Legislation 23 NYCRR 500 and What You Need to Know


Who is Responsible?

The NY DFS Cybersecurity Regulation applies to all financial services entities operating under a DFS license, registration, or charter. If your organization is DFS-regulated, and by extension, unregulated third party service providers to regulated entities also fall under the mandate.

Some covered entities that fall under 23 NYCRR 500 include:

  • State-chartered banks
  • Private bankers
  • Foreign banks with NY licenses
  • Service providers
  • Mortgage companies
  • Licensed lenders
  • Insurance companies


From the DFS FAQ: Are the New York branches of out-of-state domestic banks required to comply with 23 NYCRR Part 500?

"New York is a signatory to the Nationwide Cooperative Agreement, Revised as of December 9, 1997 (the “Agreement”), an agreement among state banking regulators that addresses supervision in an interstate branching environment. Pursuant to the Agreement, the home state of a state-chartered bank with a branch or branches in New York under Article V-C of the New York Banking Law is primarily responsible for supervising such state-chartered bank, including its New York branches.

In keeping with the Agreement’s goals of interstate coordination and cooperation with respect to the supervision and examination of bank branches, including compliance with applicable laws, DFS will defer to the home state supervisor for supervision and examination of the New York branches, with the understanding that DFS is available to coordinate and work with the home state in such supervision and examination.

DFS notes that New York branches are required to comply with New York state law, and DFS maintains the right to examine branches located in New York.  With respect to DFS’s cybersecurity regulation, given the ever-increasing cybersecurity risks that financial institutions face, DFS strongly encourages all financial institutions, including New York branches of out-of-state domestic banks, to adopt cybersecurity protections consistent with the safeguards and protections of 23 NYCRR Part 500."

Your responsibilities

Your High-Level Requirements

Designate a CISO (time to hire!) who will be responsible for overseeing and implementing your security program as well as enforcing these security-related policies and procedures. You can have a "satellite CISO" third-party service provider if you need to, but you own the responsibility of reporting compliance and you have to make sure the third party is overseen by your executive team members. The CISO must report to the board or a senior officer at least once per year.

Financial Services Cybersecurity

Conduct and document a thorough risk assessment and base your new cybersecurity program as well as policies off of that assessment.

There are many more requirements outlined in NYDFS 23 NYCRR part 500 Cybersecurity Requirements for Financial Services Companies.

If you don't have a continuous compliance platform that makes maintaining the compliance assessment data, risk assessment data, supporting evidence and proof of compliance easy.. or that makes assessments and reporting automated, you might consider a platform like CyberStrong.

Establish your cybersecurity program off of that risk assessment and address these cyber security functions: identify cyber risks, implement defensive infrastructure and implement risk-based policies as well as procedures that aim to protect your nonpublic data and information systems fromunauthorized access, have a means to detect cybersecurity incidents, know how to respond to those incidents and how to mitigate the effects, recover from the incident as well as maintain operations, and know how to fulfill the reporting rules that go along with regulations such as 23 NYRR part 500.

Have a set of cybersecurity policies and procedures that addresses information security, data governance, data classification, access inventory, identity management, business continuity, disaster recovery planning, systems operations, systems and network security, monitoring, quality assurance, physical security, environmental variables, data privacy, vendor risk management, your risk assessment, and your incident response plan.


Implement third-party cyber risk policies written based on your risk assessment that accomplish these objectives:

1). Identify and assess your risks associated with your third parties' access to information systems and any nonpublic information

2) Establish minimum cybersecurity requirements that your organization must follow

3) Prove Due Diligence via processes used to evaluate the adequacy of third parties’ cyber security practices

4) Periodically assess third parties based on the risk they present and the continued adequacy of their cyber practices.

Establish a written incident response plan outlining the internal as well as external processes for responding a cyber incident. It will contain roles assigned, the responsibilities and decision-making authority per each role, and will give remediation measures. The incident response plan should outline documentation and reporting requirements as well as revisions following an incident.

Notify the superintendent of DFS of any cybersecurity events that

1) Require notice to be provided to a supervisor, or...

2) Could significantly harm critical business operations. Reports should be made no later than 72 hours after a determination is made.

Submit an annual certification of compliance which should be signed by the Chair of the board or Senior Leadership, to the Superintendent by Feb 15th annually. This effort proves that the covered entity is in accordance with all of the 23 NYCRR part 500 compliance requirements. You also must maintain the supporting evidence and data for five years.

We recommend you try a continuous compliance platform such as CyberStrong to streamline your cyber compliance journey. It can be tough complying to these complex regulations regardless of whether you're a large institution or a small financial services provider. Take advantage of the tech available today and let us know if you want more information.

Future-Proof Compliance

Automate 23NYCrr 500 Compliance

CyberStrong automates the compliance and risk assessment process required by the 23NYCrr 500 regulation, and continuously documents and allows you to report on your compliance status with the click of a button.

Schedule a Demo