23 NYCRR 500 Cybersecurity Compliance for Financial Institutions

What is the NYDFS Cybersecurity Regulation?

Research shows the rate of breaches on the financial services sector tripled over the past five years.* After all, this is literally where the money is.

This makes financial institutions a target-rich environment for cybercriminals, since they offer multiple avenues for profit such as extortion, theft, and fraud. Beyond the obvious motivation of financial gain, nation-states and hacktivists also target the financial sector for political and ideological reasons.

As a response to the ever-growing threat posed to information and financial systems, the New York Department of Financial Services (NYDFS) has issued the NYDFS Cybersecurity Regulation (23 NYCRR 500). This is a relatively new set of regulations that places cybersecurity requirements on all covered financial institutions.

The requirement aims to protect DFS regulated entities as well as New York consumers whose private information may be revealed and/or stolen in cybersecurity events.

Who must comply with 23 NYCRR 500?

The NYDFS Cybersecurity Regulation covers any organization, including nonresident licensees, that is regulated by the New York Department  of Financial Services. This includes:

  • Licensed lenders
  • State-chartered banks
  • Trust companies
  • Service contract providers
  • Private bankers
  • Mortgage companies
  • Insurance companies doing business in New York
  • Non-U.S. banks licensed to operate in New York

What are the 23 NYCRR 500 Requirements?

The regulation requires covered entities to assess their cybersecurity risk profile and implement and maintain a comprehensive cybersecurity program that recognizes and mitigates that risk and in accordance with a specific compliance time line.

A covered entity is defined as “any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.”

This cybersecurity program should be aligned to the NIST Cybersecurity Framework (CSF) core functions:

  • Identify: Develop an organizational understanding to manage cybersecurity risk to systems, assets, data, and capabilities.
  • Protect: Develop and implement appropriate safeguards to ensure delivery of critical services.
  • Detect: Develop and implement the appropriate activities to identify the occurrence of a cybersecurity event.
  • Respond: Take appropriate action to mitigate all detected cybersecurity events.
  • Recover: Restore any capabilities or services that were impaired due to a cybersecurity event.

In addition, the NYDFS Cybersecurity Regulation specifies requirements beyond those of the CSF, including protecting nonpublic information.

NYDFS Required Cybersecurity Services

In the 23 NYCRR 500, the NYDFS communicates a strong sense of urgency for financial institutions to create a cybersecurity program:

“It is critical for all regulated institutions that have not yet done so to move swiftly and urgently to adopt a cybersecurity program and for all regulated entities to be subject to minimum standards with respect to their programs. The  number of cyber events has been steadily increasing and estimates of potential risk to our financial services industry are stark. Adoption of the program outlined in these regulations is a priority for New York State.”

The 23 NYCRR 500 mandate requires several minimum standards including:

  • Cybersecurity Program Development
  • Cybersecurity Policy
  • Chief Information Officer
  • Risk Assessment
  • Annual Penetration Test
  • Training and Monitoring
  • Incident Response Plan


The European Union’s (EU) General Data Protection Regulation (GDPR) and NYDFS share a common goal; to protect consumer personally identifiable information (PII) that can be used to identify an individual.

Many GDPR and NYDFS regulations overlap. These include requirements for the following:

  • A documented risk assessment
  • A documented data breach reporting process
  • Encryption of protected data at rest and in motion, and
  • Designation of an individual with overall responsibility for implementation and monitoring of required safeguards
  • Annual reporting of compliance efforts signed by senior management

The consumer privacy regulation space has become fragmented. Determining which regulations your organization must comply with and how to do so can be difficult.  US companies that must adhere to both frameworks benefit from mapping their compliance to fulfill common requirements and avoid duplicated effort.

NYDFS Compliance Services

Sword & Shield offers third party NYDFS cyber risk consulting services. We partner with you to identify and remediate gaps to achieve NYDFS compliance.

Sword & Shield takes the stress off you by helping to make sense of the new NYDFS requirements and how they apply to your business. Our security experts help you to identify your risks and vulnerabilities, develop a remediation plan, and continue to work with you to maintain or improve your 23 NYCRR 500 compliance.

*2018 “Cost of Cyber Crime Study” published by Accenture and the Ponemon Institute

Download the Data Sheet

NYDFS Compliance Services Datasheet

NYDFS Compliance Services

Fast Track Your NYDFS Compliance

Request a Free 23 NYCRR 500 Certification Consultation