Guide to

NYDFS Part 500 Cybersecurity Regulation

What is the NYDFS Part 500 Cybersecurity Regulation?

On March 1, 2017, the state of New York rolled out the 23 NYCRR 500 regulation, a law that demands financial companies implement a detailed framework to better protect consumer data privacy.

Who NYDFS Part 500 applies to

This law applies to any registered entity providing financial services in the state of New York including:

  • Licensed lenders
  • State-chartered banks
  • Trust companies
  • Service contract providers
  • Private bankers
  • Mortgage companies
  • Insurance companies doing business in New York
  • Non-U.S. banks licensed to operate in New York

Key requirements

NYDFS Part 500 requires supervised entities to assess their cybersecurity risk profiles and implement a comprehensive plan that recognizes and mitigates that risk. The law has set a set of requirements to assist organizations in preventing data breaches. Covered organizations need to:

  • Create risk-based minimum standards for information technology systems, including data protection and encryption, access controls, and penetration testing.
  • Document their cybersecurity policies.
  • Ensure that their security program is adequately funded.
  • Designate a chief information security officer (which can include a third-party service provider) and put qualified cybersecurity personnel in charge of its security program.
  • Create incident response plans that include preserving data in order to respond to data breaches including notice within 72 hours to the NYDFS of material events.
  • Ensure audit trails designed to detect and respond to cybersecurity events.
  • Create annual reports covering the risks faced, all material events, and the impact on protected data.
  • Develop and implement training to make employees aware of the organization’s cybersecurity program.

To comply, covered entities must meet the standards set in the law, submit certification of compliance, and, every year following initial compliance, file a set of reports with the Department of Financial Services through the NYDFS website.

NYDFS Part 500: Enforcement and penalties for non-compliance

NYDFS Part 500 is enforced by the NYS Department of Financial Services. The Department of Financial Services has authority to issue a consent order, impose a civil penalty, or revoke the license of a financial institution according to NY Banking law. NY Banking law authorizes up to
1) $2,500 per day during which a violation continues,
2) $15,000 a day in the event of a reckless practice or pattern of misconduct, or
3) $75,000 per day in the event of a knowing or willful violation.

23 NYCRR 500: Frequently Asked Questions

23 NYCRR 500 applies to all entities that operate under the jurisdiction of the New York State Department of Financial Services (NYDFS). This includes, but is not limited to, banks, insurance companies, mortgage brokers, and other financial institutions. It also applies to licensed persons, such as insurance agents and brokers, as well as third-party service providers that handle nonpublic information (NPI) on behalf of these entities. It’s important to note that the regulation is designed to protect the confidentiality, integrity, and availability of information systems within the financial services sector.

23 NYCRR 500 mandates that covered entities implement and maintain a comprehensive cybersecurity program designed to protect the confidentiality, integrity, and availability of their information systems. Key requirements include:

  1. Cybersecurity program: Entities must establish a cybersecurity program tailored to their specific risks.
  2. Cybersecurity policy: Development and implementation of a written policy approved by a senior officer or the board of directors annually, covering key areas like data governance, access controls, and incident response.
  3. Chief Information Security Officer (CISO): Appointment of a qualified individual responsible for overseeing and implementing the cybersecurity program. The CISO must report to the board or a senior officer at least annually on the state of the cybersecurity program.
  4. Risk assessments: Periodic risk assessments, at least annually, to inform and update the cybersecurity program, including changes in the covered entity’s business or the emergence of new threats.
  5. Penetration testing and vulnerability assessments: Annual testing and assessments to identify vulnerabilities.
  6. Audit trail: Maintenance of an audit trail to detect and respond to cybersecurity events that have a reasonable likelihood of material harm to the normal operations of the covered entity.
  7. Access controls: Implementation of strict access controls to ensure only authorized personnel can access nonpublic data.
  8. Third-party service provider oversight: Due diligence and monitoring of third-party service providers to ensure they meet cybersecurity standards.
  9. Incident response plan: Development of a plan to respond to and recover from cybersecurity events, including notification within 72 hours to the NYDFS after determining that a cybersecurity incident has occurred at the covered entity, its affiliates, or a third-party service provider.
  10. Training and monitoring: Regular cybersecurity awareness training for personnel and continuous monitoring of systems.

23 NYCRR 500 can be aligned with other cybersecurity frameworks like NIST CSF, ISO 27001, and PCI DSS. While each framework has its unique elements, they share common goals of protecting information systems and managing cybersecurity risks. Companies already compliant with other frameworks might find they have already met many 23 NYCRR 500 requirements. However, 23 NYCRR 500 has specific mandates, particularly in terms of governance, reporting, and the role of the CISO, which may require additional efforts to ensure full compliance.

23 NYCRR 500 requires covered entities to implement written policies and procedures to ensure the security of information systems and nonpublic information accessible by third-party service providers. This includes:

  1. Risk-Based assessment: Conducting a risk assessment of third-party providers to determine their cybersecurity posture.
  2. Contractual provisions: Ensuring that contracts with third-party providers include provisions requiring them to maintain appropriate cybersecurity measures.
  3. Ongoing monitoring: Regularly monitoring and assessing third-party providers’ cybersecurity practices to ensure ongoing compliance with NYCRR 500.
  4. Incident reporting: Establishing protocols for third-party providers to report cybersecurity events that could affect the covered entity or the covered entity’s nonpublic information being held by the third-party service provider.

To prepare for an NYDFS cybersecurity examination, a covered entity should:

  1. Conduct a documentation review: Ensure all cybersecurity policies, risk assessments, and audit trails are well-documented and up-to-date.
  2. Conduct a compliance check: Conduct an internal audit or compliance check against NYCRR 500 requirements to identify and address any gaps.
  3. Schedule trainings and promote awareness: Verify that all personnel have received the necessary cybersecurity training and are aware of their roles in maintaining compliance.
  4. Review and update your incident response plan: Review and, if necessary, update the incident response plan, ensuring it meets all NYDFS requirements.
  5. Review third-party risk management practices: Confirm that third-party service providers meet the cybersecurity standards required under 23 NYCRR 500, with appropriate documentation to support this.
  6. Prepare for interviews: Anticipate potential questions and prepare key staff members for possible interviews or discussions with NYDFS examiners.

Yes, there are both full and partial exemptions under 23 NYCRR 500. 

Entities claiming exemptions must file a Notice of Exemption with the NYDFS and ensure they still comply with applicable parts of the regulation.

Read more about 23 NYCRR 500 exemptions

No, 23 NYCRR 500 does not involve a certification process. Instead, covered entities are required to submit an annual Certification of Compliance to the NYDFS by February 15th of each year. This certification confirms that the entity has complied with the 23 NYCRR 500 requirements throughout the preceding calendar year.

Non-compliance with 23 NYCRR 500 can result in significant penalties, including fines, enforcement actions, and reputational damage. The NYDFS has the authority to impose civil monetary penalties for violations, which can be substantial depending on the severity of the non-compliance. Additionally, entities found to be non-compliant may face increased regulatory scrutiny, legal challenges, and potential loss of operating licenses.

A cybersecurity incident under 23 NYCRR 500 is defined as any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt, or misuse an information system or the information stored on such systems. This includes incidents that result in the loss of control over, or unauthorized disclosure of, nonpublic information, or if the event results in the deployment of ransomware within a material part of the covered entity’s information system. Covered entities are required to report cybersecurity incidents to the NYDFS within 72 hours if the event has occurred at the covered entity, its affiliates, or a third-party service provider.

Hyperproof Makes NYDFS Part 500 Compliance Simple

  • Leverage an out-of-the-box NYDFS Part 500 framework template so you can get started quickly and easily
  • Effortlessly map controls to multiple regulatory standards to maintain a robust compliance posture
  • Reduce the time and effort required to achieve compliance with all relevant regulations that impact your business
  • Maximize efficiency with seamless integrations with your existing project management tools, like ServiceNow, Jira, and Asana
  • Reuse evidence across various frameworks and controls, simplifying the documentation process
  • Collect and document evidence swiftly to demonstrate your compliance with NYDFS Part 500 regulations
  • Identify, prioritize, and manage your critical cybersecurity workflows to ensure your organization stays secure and compliant
Get a Demo

Ready to see
Hyperproof in action?

G2 Crowd Leader
G2 Crowd Best Estimated ROI
G2 Crowd Best Customer Support Enterprise
G2 Crowd Fastest Implementation
G2 Crowd Momentum Leader