NY DFS 23 NYCRR 500 Cybersecurity Compliance

Cybersecurity Requirements For Financial Services Companies

The New York Department of Financial Services (NY DFS) published the most current version of its NY DFS 23 NY CRR 500 cybersecurity compliance requirements in December 2023 (Amendment 2) that took effect on November 1, 2024. This regulation affects "covered entities" as defined by the NY DFS 23 NYCRR 500, specifically targeting the FINSERV industry (e.g., financial institutions, insurance companies, insurance agents / brokers, banks, trusts, mortgage banks, mortgage brokers and lenders, money transmitters, check cashers, etc.)

NY DFS 23 NYCRR 500 Is Not Aligned With A Cybersecurity Framework

If you take the time to read through the actual cybersecurity requirements from DFS NY CRR 500, you will find that there is no alignment with leading cybersecurity frameworks (e.g., NIST CSF 2.0, ISO 27001/27002, NIST 800-171 or NIST 800-53). This is unfortunate, but not unexpected. It just means that covered entities have to do additional work to ensure that their cybersecurity and data protection capabilities have the added coverage to address DFS NYCRR 500 requirements.

How To Comply NY DFS 23 NYCRR 500 Cybersecurity Requirements

With the lack of 1-1 mapping between NY DFS' NYCRR 500 requirements to NIST CSF, ISO 27001/27001, NIST 800-171 or NIST 800-53, that complicates compliance matters. The good news is that the policies and standards from the Digital Security Program (DSP) from ComplianceForge has complete coverage for the cybersecurity requirements from NY DFS 23 NYCRR 500 (amendment 2).

The Secure Controls Framework (SCF) uses NIST IR 8477 for Set Theory Relationship Mapping (STRM) to demonstrate how SCF controls can address statutory, regulatory and contractual obligations for cybersecurity and data protection. The SCF publishes STRM for NY DFS 23 NYCRR 500 so that you can see for yourself how the Digital Security Program (DSP) can help your organziation comply with these requirements: https://securecontrolsframework.com/content/strm/scf-strm-ny-dfs-23-nycrr500-amd2.pdf

What Are the Requirements of NY DFS 23 NYCRR 500?

The following requirements are directly from Amendment 2 of the NY DFS 23 NYCRR500:

500.2 Cybersecurity program.

(a) Each covered entity shall maintain a cybersecurity program designed to protect the confidentiality, integrity and availability of the covered entity’s information systems and
nonpublic information stored on those information systems.
(b) The cybersecurity program shall be based on the covered entity’s risk assessment and designed to perform the following core cybersecurity functions:
(1) identify and assess internal and external cybersecurity risks that may threaten the security or integrity of nonpublic information stored on the covered entity’s information
systems;
(2) use defensive infrastructure and the implementation of policies and procedures to protect the covered entity’s information systems, and the nonpublic information stored on
those information systems, from unauthorized access, use or other malicious acts;
(3) detect cybersecurity events;
(4) respond to identified or detected cybersecurity events to mitigate any negative effects;
(5) recover from cybersecurity events and restore normal operations and services; and
(6) fulfill applicable regulatory reporting obligations.
(c) Each class A company shall design and conduct independent audits of its cybersecurity program based on its risk assessment.
(d) A covered entity may meet the requirement(s) of this Part by adopting the relevant and applicable provisions of a cybersecurity program maintained by an affiliate, provided that such provisions satisfy the requirements of this Part, as applicable to the covered entity.
(e) All documentation and information relevant to the covered entity’s cybersecurity program, including the relevant and applicable provisions of a cybersecurity program maintained by an affiliate and adopted by the covered entity, shall be made available to the superintendent upon request.

500.3 Cybersecurity policy.

Each covered entity shall implement and maintain a written policy or policies, approved at least annually by a senior officer or the covered entity’s senior governing body for the protection of its information systems and nonpublic information stored on those information systems. Procedures shall be developed, documented and implemented in accordance with the written policy or policies. The cybersecurity policy or policies and procedures shall be based on the covered entity’s risk assessment and address, at a minimum, the following areas to the extent applicable to the covered entity’s operations:
(a) information security;
(b) data governance, classification and retention;
(c) asset inventory, device management and end of life management;
(d) access controls, including remote access and identity management;
(e) business continuity and disaster recovery planning and resources;
(f) systems operations and availability concerns;
(g) systems and network security and monitoring;
(h) security awareness and training;
(i) systems and application security and development and quality assurance;
(j) physical security and environmental controls;
(k) customer data privacy;
(l) vendor and third-party service provider management;
(m) risk assessment;
(n) incident response and notification; and
(o) vulnerability management.

500.4 Cybersecurity governance.

(a) Chief information security officer. Each covered entity shall designate a CISO. The CISO may be employed by the covered entity, one of its affiliates or a third-party service provider. If the CISO is employed by a third-party service provider or an affiliate, the covered entity shall:
(1) retain responsibility for compliance with this Part;
(2) designate a senior member of the covered entity’s personnel responsible for direction and oversight of the third-party service provider; and
(3) require the third-party service provider or affiliate to maintain a cybersecurity program that protects the covered entity in accordance with the requirements of this Part.
(b) Report. The CISO of each covered entity shall report in writing at least annually to the senior governing body on the covered entity’s cybersecurity program, including to the extent applicable:
(1) the confidentiality of nonpublic information and the integrity and security of the covered entity’s information systems;
(2) the covered entity’s cybersecurity policies and procedures;
(3) material cybersecurity risks to the covered entity;
(4) overall effectiveness of the covered entity’s cybersecurity program;
(5) material cybersecurity events involving the covered entity during the time period
addressed by the report; and
(6) plans for remediating material inadequacies.
(c) The CISO shall timely report to the senior governing body or senior officer(s) on material cybersecurity issues, such as significant cybersecurity events and significant changes to the covered entity’s cybersecurity program.
(d) The senior governing body of the covered entity shall exercise oversight of the covered entity’s cybersecurity risk management, including by:
(1) having sufficient understanding of cybersecurity-related matters to exercise such oversight, which may include the use of advisors;
(2) requiring the covered entity’s executive management or its designees to develop, implement and maintain the covered entity’s cybersecurity program;
(3) regularly receiving and reviewing management reports about cybersecurity matters; and
(4) confirming that the covered entity’s management has allocated sufficient resources to implement and maintain an effective cybersecurity program.

500.5 Vulnerability management.

Each covered entity shall, in accordance with its risk assessment, develop and implement written policies and procedures for vulnerability management that are designed to assess and maintain the effectiveness of its cybersecurity program. These policies and procedures shall be designed to ensure that covered entities:
(a) conduct, at a minimum:
(1) penetration testing of their information systems from both inside and outside the information systems’ boundaries by a qualified internal or external party at least
annually; and
(2) automated scans of information systems, and a manual review of systems not covered by such scans, for the purpose of discovering, analyzing and reporting vulnerabilities at a
frequency determined by the risk assessment, and promptly after any material system changes;
(b) are promptly informed of new security vulnerabilities by having a monitoring process in place; and
(c) timely remediate vulnerabilities, giving priority to vulnerabilities based on the risk they pose to the covered entity.

500.6 Audit trail.

(a) Each covered entity shall securely maintain systems that, to the extent applicable and based on its risk assessment:
(1) are designed to reconstruct material financial transactions sufficient to support normal operations and obligations of the covered entity; and
(2) include audit trails designed to detect and respond to cybersecurity events that have a reasonable likelihood of materially harming any material part of the normal operations of
the covered entity.
(b) Each covered entity shall maintain records required by paragraph (a)(1) of this section for not fewer than five years and shall maintain records required by paragraph (a)(2) of this section for not fewer than three years.

500.7 Access privileges and management.

(a) As part of its cybersecurity program, based on the covered entity’s risk assessment each covered entity shall:
(1) limit user access privileges to information systems that provide access to nonpublic information to only those necessary to perform the user’s job;
(2) limit the number of privileged accounts and limit the access functions of privileged accounts to only those necessary to perform the user’s job;
(3) limit the use of privileged accounts to only when performing functions requiring the use of such access;
(4) periodically, but at a minimum annually, review all user access privileges and remove or disable accounts and access that are no longer necessary;
(5) disable or securely configure all protocols that permit remote control of devices; and
(6) promptly terminate access following departures.
(b) To the extent passwords are employed as a method of authentication, the covered entity shall implement a written password policy that meets industry standards.
(c) Each class A company shall monitor privileged access activity and shall implement:
(1) a privileged access management solution; and
(2) an automated method of blocking commonly used passwords for all accounts on information systems owned or controlled by the class A company and wherever feasible for all other accounts. To the extent the class A company determines that blocking commonly used passwords is infeasible, the covered entity’s CISO may instead approve in writing at least annually the infeasibility and the use of reasonably equivalent or more secure compensating controls.

500.8 Application security.

(a) Each covered entity’s cybersecurity program shall include written procedures, guidelines and standards designed to ensure the use of secure development practices for in-house developed applications utilized by the covered entity, and procedures for evaluating, assessing or testing the security of externally developed applications utilized by the covered entity within the context of the covered entity’s technology environment.
(b) All such procedures, guidelines and standards shall be reviewed, assessed and updated as necessary by the CISO (or a qualified designee) of the covered entity at least annually.

500.9 Risk assessment.

(a) Each covered entity shall conduct a periodic risk assessment of the covered entity’s information systems sufficient to inform the design of the cybersecurity program as required by this Part. Such risk assessment shall be reviewed and updated as reasonably necessary, but at a minimum annually, and whenever a change in the business or technology causes a material change to the covered entity’s cyber risk. The covered entity’s risk assessment shall allow for revision of controls to respond to technological developments and evolving threats and shall consider the particular risks of the covered entity’s business operations related to cybersecuity, nonpublic information collected or stored, information systems utilized and the availability and effectiveness of controls to protect nonpublic information and information systems.
(b) The risk assessment shall be carried out in accordance with written policies and procedures and shall be documented. Such policies and procedures shall include:
(1) criteria for the evaluation and categorization of identified cybersecurity risks or threats facing the covered entity;
(2) criteria for the assessment of the confidentiality, integrity, security and availability of the covered entity’s information systems and nonpublic information, including the
adequacy of existing controls in the context of identified risks; and
(3) requirements describing how identified risks will be mitigated or accepted based on the risk assessment and how the cybersecurity program will address the risks.

500.10 Cybersecurity personnel and intelligence.

(a) In addition to the requirements set forth in section 500.4(a) of this Part, each covered entity shall:
(1) utilize qualified cybersecurity personnel of the covered entity, an affiliate or a thirdparty service provider sufficient to manage the covered entity’s cybersecurity risks and to perform or oversee the performance of the core cybersecurity functions specified in section 500.2(b)(1)–(6) of this Part;
(2) provide cybersecurity personnel with cybersecurity updates and training sufficient to address relevant cybersecurity risks; and
(3) verify that key cybersecurity personnel take steps to maintain current knowledge of changing cybersecurity threats and countermeasures.
(b) A covered entity may choose to utilize an affiliate or qualified third-party service provider to assist in complying with the requirements set forth in this Part, subject to the requirements set forth in sections 500.4 and 500.11 of this Part.

500.11 Third-party service provider security policy.

(a) Each covered entity shall implement written policies and procedures designed to ensure the security of information systems and nonpublic information that are accessible to, or held by, third-party service providers. Such policies and procedures shall be based on the risk assessment of the covered entity and shall address to the extent applicable:
(1) the identification and risk assessment of third-party service providers;
(2) minimum cybersecurity practices required to be met by such third-party service providers in order for them to do business with the covered entity;
(3) due diligence processes used to evaluate the adequacy of cybersecurity practices of such third-party service providers; and
(4) periodic assessment of such third-party service providers based on the risk they present and the continued adequacy of their cybersecurity practices.
(b) Such policies and procedures shall include relevant guidelines for due diligence and/or contractual protections relating to third-party service providers including to the extent applicable guidelines addressing:
(1) the third-party service provider’s policies and procedures for access controls, including its use of multi-factor authentication as required by section 500.12 of this Part,
to limit access to relevant information systems and nonpublic information;
(2) the third-party service provider’s policies and procedures for use of encryption as required by section 500.15 of this Part to protect nonpublic information in transit and at
rest;
(3) notice to be provided to the covered entity in the event of a cybersecurity event directly impacting the covered entity’s information systems or the covered entity’s
nonpublic information being held by the third-party service provider; and
(4) representations and warranties addressing the third-party service provider’s cybersecurity policies and procedures that relate to the security of the covered entity’s
information systems or nonpublic information.

500.12 Multi-factor authentication.

(a) Multi-factor authentication shall be utilized for any individual accessing any information systems of a covered entity, unless the covered entity qualifies for a limited exemption pursuant to section 500.19(a) of this Part in which case multi-factor authentication shall be utilized for:
(1) remote access to the covered entity’s information systems;
(2) remote access to third-party applications, including but not limited to those that are cloud based, from which nonpublic information is accessible; and
(3) all privileged accounts other than service accounts that prohibit interactive login.
(b) If the covered entity has a CISO, the CISO may approve in writing the use of reasonably equivalent or more secure compensating controls. Such controls shall be reviewed periodically, but at a minimum annually.

500.13 Asset management and data retention requirements.

(a) As part of its cybersecurity program, each covered entity shall implement written policies and procedures designed to produce and maintain a complete, accurate and documented asset inventory of the covered entity’s information systems. The asset inventory shall be maintained in accordance with written policies and procedures. At a minimum, such policies and procedures shall include:
(1) a method to track key information for each asset, including, as applicable, the following:
(i) owner;
(ii) location;
(iii) classification or sensitivity;
(iv) support expiration date; and
(v) recovery time objectives; and
(2) the frequency required to update and validate the covered entity’s asset inventory.
(b) As part of its cybersecurity program, each covered entity shall include policies and procedures for the secure disposal on a periodic basis of any nonpublic information identified in section 500.1(k)(2)–(3) of this Part that is no longer necessary for business operations or for other legitimate business purposes of the covered entity, except where such information is otherwise required to be retained by law or regulation, or where targeted disposal is not reasonably feasible due to the manner in which the information is maintained.

500.14 Monitoring and training.

(a) As part of its cybersecurity program, each covered entity shall:
(1) implement risk-based policies, procedures and controls designed to monitor the activity of authorized users and detect unauthorized access or use of, or tampering with,
nonpublic information by such authorized users;
(2) implement risk-based controls designed to protect against malicious code, including those that monitor and filter web traffic and electronic mail to block malicious content;
and
(3) provide periodic, but at a minimum annual, cybersecurity awareness training that includes social engineering for all personnel that is updated to reflect risks identified by
the covered entity in its risk assessment.
(b) Each class A company shall implement, unless the CISO has approved in writing the use of reasonably equivalent or more secure compensating controls:
(1) an endpoint detection and response solution to monitor anomalous activity, including but not limited to lateral movement; and
(2) a solution that centralizes logging and security event alerting.

500.15 Encryption of nonpublic information.

(a) As part of its cybersecurity program, each covered entity shall implement a written policy requiring encryption that meets industry standards, to protect nonpublic information held or transmitted by the covered entity both in transit over external networks and at rest.
(b) To the extent a covered entity determines that encryption of nonpublic information at rest is infeasible, the covered entity may instead secure such nonpublic information using effective alternative compensating controls that have been reviewed and approved by the covered entity’s CISO in writing. The feasibility of encryption and effectiveness of the compensating controls shall be reviewed by the CISO at least annually.

500.16 Incident response and business continuity management.

(a) As part of its cybersecurity program, each covered entity shall establish written plans that contain proactive measures to investigate and mitigate cybersecurity events and to ensure operational resilience, including but not limited to incident response, business continuity and disaster recovery plans.
(1) Incident response plan. Incident response plans shall be reasonably designed to enable prompt response to, and recovery from, any cybersecurity event materially affecting the
confidentiality, integrity or availability of the covered entity’s information systems or the continuing functionality of any aspect of the covered entity’s business or operations. Such plans shall address the following areas with respect to different types of cybersecurity events, including disruptive events such as ransomware incidents:
(i) the goals of the incident response plan;
(ii) the internal processes for responding to a cybersecurity event;
(iii) the definition of clear roles, responsibilities and levels of decision-making authority;
(iv) external and internal communications and information sharing;
(v) identification of requirements for the remediation of any identified weaknesses in information systems and associated controls;
(vi) documentation and reporting regarding cybersecurity events and related incident response activities;
(vii) recovery from backups;
(viii) preparation of root cause analysis that describes how and why the event occurred, what business impact it had, and what will be done to prevent reoccurrence; and
(ix) updating of incident response plans as necessary.
(2) Business continuity and disaster recovery (BCDR) plan. BCDR plans shall be reasonably designed to ensure the availability and functionality of the covered entity’s
information systems and material services and protect the covered entity’s personnel, assets and nonpublic information in the event of a cybersecurity-related disruption to its
normal business activities. Such plans shall, at minimum:
(i) identify documents, data, facilities, infrastructure, services, personnel and competencies essential to the continued operations of the covered entity’s
business;
(ii) identify the supervisory personnel responsible for implementing each aspect of the BCDR plan;
(iii) include a plan to communicate with essential persons in the event of a cybersecurity-related disruption to the operations of the covered entity, including employees, counterparties, regulatory authorities, third-party service providers, disaster recovery specialists, the senior governing body and any other persons essential to the recovery of documentation and data and the resumption of operations;
(iv) include procedures for the timely recovery of critical data and information systems and to resume operations as soon as reasonably possible following a cybersecurity-related disruption to normal business activities;
(v) include procedures for backing up or copying, with sufficient frequency, information essential to the operations of the covered entity and storing such information offsite; and
(vi) identify third parties that are necessary to the continued operations of the covered entity’s information systems.
(b) Each covered entity shall ensure that current copies of the plans or relevant portions therein are distributed or are otherwise accessible, including during a cybersecurity event, to all employees necessary to implement such plans.
(c) Each covered entity shall provide relevant training to all employees responsible for implementing the plans regarding their roles and responsibilities.
(d) Each covered entity shall periodically, but at a minimum annually, test its:
(1) incident response and BCDR plans with all staff and management critical to the response, and shall revise the plan as necessary; and
(2) ability to restore its critical data and information systems from backups.
(e) Each covered entity shall maintain backups necessary to restore material operations. The backups shall be adequately protected from unauthorized alterations or destruction.

500.17 Notices to superintendent.

(a) Notice of cybersecurity incident.
(1) Each covered entity shall notify the superintendent electronically in the form set forth on the department’s website as promptly as possible but in no event later than 72 hours
after determining that a cybersecurity incident has occurred at the covered entity, its affiliates, or a third-party service provider.
(2) Each covered entity shall promptly provide to the superintendent any information requested regarding such incident. Covered entities shall have a continuing obligation to
update the superintendent with material changes or new information previously unavailable.
(b) Notice of compliance.
(1) Annually each covered entity shall submit to the superintendent electronically by April 15 either:
(i) a written certification that:
(a) certifies that the covered entity materially complied with the requirements set forth in this Part during the prior calendar year; and
(b) shall be based upon data and documentation sufficient to accurately determine and demonstrate such material compliance, including, to the extent necessary, documentation of officers, employees, representatives, outside vendors and other individuals or entities, as well as other documentation, whether in the form of reports, certifications, schedules or
otherwise; or
(ii) a written acknowledgment that:
(a) acknowledges that, for the prior calendar year, the covered entity did not materially comply with all the requirements of this Part;
(b) identifies all sections of this Part that the entity has not materially complied with and describes the nature and extent of such noncompliance; and
(c) provides a remediation timeline or confirmation that remediation has been completed.
(2) Such certification or acknowledgment shall be submitted electronically in the form set forth on the department’s website and shall be signed by the covered entity’s highestranking executive and its CISO. If the covered entity does not have a CISO, the certification or acknowledgment shall be signed by the highest-ranking executive and by the senior officer responsible for the cybersecurity program of the covered entity.
(3) Each covered entity shall maintain for examination and inspection by the department upon request all records, schedules and other documentation and data supporting the certification or acknowledgment for a period of five years, including the identification of all areas, systems and processes that require or required material improvement, updating
or redesign, all remedial efforts undertaken to address such areas, systems and processes, and remediation plans and timelines for their implementation.
(c) Notice and explanation of extortion payment. Each covered entity, in the event of an extortion payment made in connection with a cybersecurity event involving the covered entity,
shall provide the superintendent electronically, in the form set forth on the department’s website, with the following:
(1) within 24 hours of the extortion payment, notice of the payment; and
(2) within 30 days of the extortion payment, a written description of the reasons payment was necessary, a description of alternatives to payment considered, all diligence
performed to find alternatives to payment and all diligence performed to ensure compliance with applicable rules and regulations including those of the Office of Foreign Assets Control.

500.18 Confidentiality.

Information provided by a covered entity pursuant to this Part is subject to exemptions from disclosure under the Banking Law, Insurance Law, Financial Services Law, Public Officers Law or any other applicable State or Federal law.

500.19 Exemptions.

This section deals with exceptions and does not have cybersecurity requirements.

500.20 Enforcement.

This section deals with enforcement by NY DFS and does not have cybersecurity requirements.

500.21 Effective date.

This section deals with effective dates and does not have cybersecurity requirements.

500.22 Transitional periods

(a) Transitional period.
Covered entities shall have 180 days from the effective date of this Part to comply with the requirements set forth in this Part, except as otherwise specified.
(b) The following provisions shall include additional transitional periods. Covered entities shall have:
(1) one year from the effective date of this Part to comply with the requirements of sections 500.4(b), 500.5, 500.9, 500.12 and 500.14(b) of this Part;
(2) eighteen months from the effective date of this Part to comply with the requirements of sections 500.6, 500.8, 500.13, 500.14(a) and 500.15 of this Part;
(3) two years from the effective date of this Part to comply with the requirements of section 500.11 of this Part.
(c) Covered entities shall have 180 days from the effective date of the second amendment to this Part to comply with the new requirements set forth in the second amendment to this Part, except as otherwise specified in subdivisions (d) and (e) below.
(d) The following provisions shall include different transitional periods. Covered entities shall have:
(1) 30 days from the effective date of the second amendment to this Part to comply with the new requirements specified in section 500.17 of this Part;
(2) one year from the effective date of the second amendment to this Part to comply with the new requirements specified in sections 500.4, 500.15, 500.16 and 500.19(a) of this
Part;
(3) 18 months from the effective date of the second amendment to this Part to comply with the new requirements specified in sections 500.5(a)(2), 500.7, 500.14(a)(2) and 500.14(b) of this Part; and
(4) two years from the effective date of the second amendment to this Part to comply with the new requirements specified in sections 500.12 and 500.13(a) of this Part.
(e) The new requirements specified in sections 500.19(e)-(h), 500.20, 500.21, 500.22 and 500.24 of this Part shall become effective November 1, 2023.

500.23 Severability

This section deals with severability and does not have cybersecurity requirements.

500.24 Exemptions from electronic filing and submission requirements.

This section deals with electronic filing and does not have cybersecurity requirements.

There are no products listed under this category.