NYDFS Cybersecurity Risk Assessment



At RSI Security we are experts in guiding you through the process of achieving New York DFS 23 NYCRR 500 compliance.

As of March 2017 the New York State Department of Financial Services (DFS) mandated that the financial sector abide by new Cybersecurity regulations. All individuals or entities operating under a license, registration, charter, certificate, permit, accreditation or similar authorization under New York banking, insurance, or financial service laws are required to comply by the newest regulations.

Organizations know that this is a process and not just a once-a-year event. We can help you get through this process so that you have the peace of mind that your data is secure and more importantly that your customer's data is secure.

What Is the New York DFS 23 NYCRR 500 Regulation?

The New York DFS 23 NYCRR 500 Regulation is a set of cybersecurity requirements with a focus on financial institutions that operate in New York. It became effective on March 1, 2017. The objective of the regulation is to address the increasing threat of cybercrime and the significant risks it poses to the financial services industry in particular.

Schedule A Consultation for NYDFS Cybersecurity Compliance

23 NYCRR 500 Cybersecurity Requirements:

The guidelines comprising the NYDFS Cybersecurity Regulation have a lot of overlap with the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) recommendations. They are considered best practices for the financial industry.

The 23 guidelines require covered entities to establish and maintain a cybersecurity program that adequately protects the entity itself, along with its customers or clients. This program must be managed by a chief information security officer (CISO) and use encryption, proper processes for securing data, penetration tests, and thorough documentation. It must also include an incident response plan.

Checklist for 23 NYCRR Part 500

There are 23 defined requirements to meet for NYDFS compliance. Use this condensed NYDFS 500 checklist to ensure your organization addresses each area of concern:

  • Cybersecurity program Covered entities must establish and maintain a cybersecurity program and policy and a third-party service provider security policy.
  • Qualified cybersecurity personnel A qualified CISO must be appointed to oversee the cybersecurity program, and qualified cybersecurity professionals should be employed to help manage it.
  • Security assessments Penetration testing, vulnerability assessments, and risk assessments must be performed at frequent, regular intervals.
  • Secure data and applications Applications must be developed securely, nonpublic information must be encrypted, and limitations on the retention of data must be established and followed.
  • Access controls Measures including limited privileges and multi-factor authentication should be implemented to manage access to data and systems.
  • Personnel management Provide cybersecurity training to personnel and monitor activities to ensure compliance with the policy.
  • Incident response plan The cybersecurity program must include a written incident response plan for responding to and recovering from breaches or other incidents fully and swiftly. In the case of a cybersecurity event, the Superintendent of Financial Services should be notified within 72 hours.
  • Audit trail Covered entities must retain records for a minimum amount of time (three years) to serve as an audit trail.

Who Does NYDFS Cybersecurity Regulation Apply To?

The NYDFS cybersecurity rules apply to all covered entities, which is defined as any entity "operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law."

Organizations with fewer than 10 employees, less than $5 million in gross annual revenue for the previous three years, or with less than $10 million in total year-end assets are exempt.

How Can I Meet the DFS 23 NYCRR 500 Cybersecurity Regulation

For organizations that qualify as covered entities, meeting DFS 23 NYCRR 500 Cybersecurity Regulation can be broken down into a few primary stages:

  • Appoint a CISO Utilize a traditional, c-suite chief information security officer—or outsource to a virtual CISO—to oversee cybersecurity within the organization.
  • Develop a security program and policy Follow the guidelines detailed in the regulation to develop a compliant cybersecurity program and policy.
  • Perform risk assessments Assess your organization to gain a thorough insight into the state of your current IT infrastructure.
  • Implement security measures - Implement the policies and procedures defined by the security program.
  • Board review and certification After proper review by the board of directors, file annual documents to certify compliance requirements have been met.
  • Perform ongoing assessments Perform ongoing monitoring and regular assessments to ensure best practices are followed and to facilitate ongoing compliance.
RSI Security - Home

  At RSI  Security, we make compliance
 easy within the often risky payment card industry.


Not maintaining NYDFS 23 NYCRR 500 compliance can have devastating consequences:

  • Lost customers
  • Fraud losses
  • Legal costs, settlements, judgments
  • Fines and penalties
  • Brand errosion
  • Going out of business

“New York is the financial capital of the world, and it is critical that we do everything in our power to protect consumers and our financial system from the ever increasing threat of cyber-attacks… These strong, first-in-the-nation protections will help ensure this industry has the necessary safeguards in place in order to protect themselves and the New Yorkers they serve from the serious economic harm caused by these devastating cyber-crimes.”

- New York Governor Andrew Cuomo

Download our Managed Services Data Sheet Here

23 NYCRR 500 Compliance FAQs

Covered entities are those who operate or are required to operate under New York Banking Law, Insurance Law, or Financial Services Law. This includes:

  • Private bankers and state-chartered banks
  • Licensed lenders and trust firms
  • Mortgage companies and service contract providers
  • Insurance firms or non-U.S. banks operating in New York

NYCRR is enforced by the Superintendent of Financial Services of the New York Department of Financial Services.

There are cases where a covered entity may qualify for exemption from NYCRR 500., such as: 

  • Organizations with fewer than 10 staff members
  • Organizations with less than $5 million in gross annual revenue in each of the previous three years
  • Charitable organizations operating in New York

NYCRR 500 includes 23 different points for meeting compliance requirements. These requirements cover the necessary considerations for a compliant cybersecurity program with an emphasis on proper oversight, management, security procedures, data management, employee training, documentation, and reporting.


Organizations that trust RSI Security

Screenshot 2023-10-13 142906

Start taking steps now to ensure your PCI DSS Compliance is up-to-date and avoid costly data-breach-related litigation and damage to business reputation.