New York Financial Companies must comply with cybersecurity regulation

By Kevin Jay on March 29, 2019

March 1, 2019 marks the final implementation of the New York Department of Financial Services’ (NYDFS) cybersecurity regulation covering DFS-regulated entities and licensed individuals. Regulation 23 NYDFS 500 forces financial institutions to be more transparent and protective of the data they store and process in their financial systems. The regulation is designed to ensure businesses effectively protect their customers’ confidential information from cyber-attacks. The cyber regulation will require more data protection procedures than anywhere else in the world, signaling the criticality of cybersecurity.

Key Details

  • Regulation 23 NYDFS 500 is the first in the United States to require cybersecurity policies and protections from all covered financial institutions licensed in New York.
  • Protects both the financial services industry and its consumers from the rising threat of cyber criminals and cyber-attacks.
  • Requires each company to assess its risk profile and design.
  • Ensures businesses have a cyber program in place that is actively incorporated into the organizations operational processes.

Cybersecurity requirements for financial service companies: New York State

  • Conduct regular security risk assessments.
  • Conduct continuous monitoring, periodic penetration testing and vulnerability assessments.
  • Report any cybersecurity breaches to NYDFS within 72 hours.
  • Have oversight by a Chief Information Security Officer or third party.
  • Conduct third-part vendor cybersecurity assessments.
  • Create, maintain and test Incident Response, Business Continuity and Disaster Recover Plans.
  • Implement multi-factor authentication for remote access.
Financial security framework
(Figure One: Overview of 23 NYCRR 500)


The “rule covers firms and international subsidiaries operating in New York City, along with the rest of the state, requiring firms to meet a higher security baseline”, said Cyberscoop. This shows the importance in requiring cybersecurity policies and protections that will better protect the United States financial institutions and infrastructure against future cyber-attacks. This will be a leading example to other States in the importance of our confidentiality, integrity, and availability.


Cyberscoop. Deadline passes for companies to comply with New York’s cybersecurity regulation 1 March 2019

Mondaq. Upcoming New York State Cybersecurity Regulation Deadlines 13 February 2019

New York State. 23 NYCRR Part 500 – Cybersecurity 1 March 2019

New York State DFS. Cybersecurity Requirements for Financial Services Companies March 2019