What Is The DFS 23 NYCRR 500?

Cyber Compliance is important for companies in every industry. However, it’s especially critical for the financial sector. Cyber-criminals are developing more sophisticated approaches to exploit financial service organizations and steal their information. In response to increasing cyber-risks, New York State has added additional security measures to protect this industry.

The Department of Financial Services (NYSDFS) rolled out 23 NYCRR 500 in 2017, which became effective as of March 1, 2019. This regulation is one of the most strict and granule in the cybersecurity landscape. For some organizations, it may be as simple as updating their existing documentation. For others, it can mean the creation of a full cybersecurity program from scratch. Some of the crucial elements of compliance with DFS 23 NYCRR 500 include:

Part 500.2 through 500.8 oversees the presence of a chief information security officer (CISO), penetration testing and vulnerability assessments, an audit trail, access privileges, and application security. 


Part 500.9 through 500.16 covers risk assessment, cybersecurity personnel and intelligence, third party service provider security policy, multi-factor authentication, limitations on data retention, training and monitoring, encryption of nonpublic information, and incident response planning. 


Part 500.16 through 500.23 requirements concern notices to superintendent, confidentiality, exemptions, enforcement, effective data, transitional periods, and severability. 


Expanded definitions of parts 500.2 through 500.23 are located here

M.A. Polce is aware of the struggles companies go through to become and remain compliant with these requirements. With experience and care, we help financial institutions implement comprehensive cybersecurity solutions to meet compliance, safeguard critical data, and enhance overall security. Connect with us to start transforming your financial organization’s cybersecurity.

Get Started!