New York Department of Financial Services (NYDFS) 

 Cyber attacks have being growing and New York State Department of Financial Services understand this is a growing problem, In response to the increasing cyber security threat posed to information and financial systems, the New York State Department of Financial Services (NYDFS) has passed the State of New York’s Cyber security Requirements for Financial Services Companies (23 NYCRR 500). This law took effect on March 1, 2017 in an effort to protect customer information, as well as the IT systems of regulated entities.

What is NYDFS 23 NYCRR 500?

23 NYCRR 500 is a cybersecurity regulation passed by the New York State Department of Financial Services (NYDFS) in early 2017. According to their website, the purpose of the NYDFS cybersecurity regulations is to “promote the protection of customer information as well as the information technology systems of related entities.”

The New York cybersecurity regulations are applicable to all companies under NYDFS supervision, including state-chartered banks, charitable foundations, credit unions, insurance companies, etc.

To follow the NYDFS cybersecurity regulations, companies are now required to “assess its specific risk profile and design a program that addresses its risks in a robust fashion.” Additionally, senior management must “be responsible for the organization’s cybersecurity program and file an annual certification confirming compliance with this regulations.”

Specific NYDFS23 NYCRR 500 cybersecurity requirements include (but are not limited to):  

  • Risk assessments to inform the program’s design
  • Identification and assessment of external cybersecurity risks
  • Controls, policies, and procedures for mitigating those risks
  • Fulfillment of regulatory reporting requirements
  • Chief Information Security Officer