Skip to main content
> NYDFS Cybersecurity

New York Department of Financial Services Cybersecurity Regulation

The nation's first comprehensive cybersecurity regulation for financial services

Governing Body: New York Department of Financial Services (NYDFS)
Established: 2017 (23 NYCRR Part 500) Last Updated: November 2023 (Second Amendment effective) Scope: New York / Financial Services
3,000+
Covered Entities

// What is NYDFS Cybersecurity?

23 NYCRR Part 500 was the first US regulation to impose comprehensive cybersecurity requirements on financial services companies. The regulation applies to entities licensed or operating under New York banking, insurance, or financial services law—including many national firms due to New York's financial center status.

The November 2023 amendments significantly strengthened requirements, adding new provisions for vulnerability management, access privileges, incident response, and board accountability. Large companies face additional requirements including independent CISO and annual independent audits.

NYDFS has been an aggressive enforcer, with settlements reaching tens of millions for systemic failures. The regulation's influence extends beyond New York, as many covered entities apply its standards enterprise-wide.

// Inside the Regulation

Part 500 establishes specific technical requirements and governance obligations, distinguishing it from principle-based regulations. The 2023 amendments expanded requirements substantially.

1

Cybersecurity Program Requirements

§500.2-500.3

Core requirements for cybersecurity programs including risk assessment, policy, and designated personnel.

Cybersecurity Program

Maintain a program designed to protect information systems and nonpublic information based on risk assessment.

Cybersecurity Policy

Written policies approved by senior governing body or officer, covering 15 specified areas including incident response, access controls, and vendor management.

Chief Information Security Officer

Designate a qualified CISO responsible for program oversight. Class A companies must have independent CISO function.

Risk Assessment

Conduct periodic risk assessment sufficient to inform cybersecurity program design. Update at least annually.

2

Technical Requirements

§500.5-500.15

Specific technical controls mandated by the regulation, expanded significantly in 2023.

Penetration Testing and Vulnerability Assessment

Annual penetration testing from qualified internal or external party. Vulnerability scanning at least biannually and after material changes.

Multi-Factor Authentication

Required for remote access, privileged accounts, and access to nonpublic information. Expanded in 2023 amendments.

Encryption

Encrypt nonpublic information in transit over external networks and at rest. Alternative controls require CISO approval.

Access Privileges

Limit access to only what's necessary. Implement privileged access management. Disable accounts within 24 hours upon departure.

Audit Trail

Maintain systems designed to reconstruct material transactions and detect unauthorized access to nonpublic information.

Application Security

Written procedures for secure development of in-house applications and security evaluation of external applications.

3

Governance and Reporting

§500.4, §500.17

Board-level oversight and certification requirements ensure executive accountability.

Board Oversight

Senior governing body must oversee cybersecurity risk management. Class A companies require board-level cybersecurity expertise.

Annual Certification

Annually certify compliance to NYDFS by April 15, signed by highest-ranking executive or CISO.

CISO Reporting

CISO must report at least annually to senior governing body on program status, material issues, and remediation.

Incident Notification

Notify NYDFS within 72 hours of cybersecurity events with reasonable likelihood of material harm.

4

Third-Party and Vendor Management

§500.11

Requirements for managing cybersecurity risks from third-party service providers.

Written Policies

Implement written policies for third-party security based on risk assessment.

Due Diligence

Conduct due diligence to evaluate third-party cybersecurity practices.

Contractual Requirements

Include cybersecurity requirements in contracts with third-party service providers.

Periodic Assessment

Periodically assess third-party practices based on risk and continued adequacy of access and controls.

Note: Class A companies (those with $20M+ gross annual revenue from NY business AND either 2,000+ employees or $1B+ gross annual revenue) face additional requirements including independent CISO, annual independent audits, and board-level cybersecurity expertise.

// Who Must Comply

  • 1 Banks and trust companies chartered in New York
  • 2 Insurance companies licensed in New York
  • 3 Licensed lenders and mortgage companies
  • 4 Money transmitters licensed by NYDFS
  • 5 Investment companies and check cashers
  • 6 Any entity operating under NY Banking, Insurance, or Financial Services Law

// Key Requirements

CISO Designation

Designate a qualified CISO responsible for cybersecurity program implementation and reporting

Penetration Testing

Conduct annual penetration testing and biannual vulnerability assessments

Multi-Factor Authentication

Implement MFA for remote access, privileged accounts, and nonpublic information access

Encryption

Encrypt nonpublic information in transit and at rest using appropriate standards

Annual Certification

Certify compliance annually to NYDFS signed by senior executive or CISO

72-Hour Notification

Notify NYDFS within 72 hours of cybersecurity events likely to cause material harm

// Enforcement & Penalties

NYDFS has enforcement authority under New York Banking and Financial Services Law. Penalties for non-compliance can include significant monetary fines, consent orders, and restrictions on business activities. Enforcement has increased substantially since 2020.

Maximum Penalty

Up to $250,000 per violation (higher in serious cases)

Examples:

  • First American Title - $1 million penalty for vulnerability management failures (2021)
  • Residential Mortgage Services - $1.5 million for cybersecurity violations (2021)
  • Robinhood Crypto - $30 million for BSA/AML and cybersecurity failures (2022)
  • OneMain Financial - $4.25 million for access control and MFA violations (2023)

// Cyber Insurance Impact

Cyber insurers serving financial services carefully evaluate NYDFS compliance. The regulation's specific technical requirements make compliance assessment straightforward. Non-compliance can result in coverage limitations, particularly given the annual certification requirement and NYDFS enforcement activity.

// How Breach Craft Helps

We help organizations achieve NYDFS Cybersecurity compliance through genuine security improvements—not checkbox exercises. Our services address the specific requirements and challenges of NYDFS Cybersecurity.

Gap Assessment

Measure your security against industry standards.

Learn more

Penetration Testing

Find the gaps before attackers do.

Learn more

Virtual CISO

Executive security leadership on demand.

Learn more

Vulnerability Assessment

Comprehensive security scanning and risk prioritization.

Learn more

// Related Frameworks

GLBA SOC 2 NIST CSF

Ready to Strengthen Your Defenses?

Schedule a free consultation with our security experts to discuss your organization's needs.

Schedule Consultation Call Us

Or call us directly at (445) 273-2873