What Is The DFS 23 NYCRR 500?

Cyber Compliance is important for companies in every industry. However, it’s especially critical for the financial sector. Cyber-criminals are developing more sophisticated approaches to exploit financial service organizations and steal their information. In response to increasing cyber-risks, New York State has added additional security measures to protect this industry.

The Department of Financial Services (NYSDFS) rolled out 23 NYCRR 500 in 2017, which became effective as of March 1, 2019. This regulation is one of the most strict and granule in the cybersecurity landscape. For some organizations, it may be as simple as updating their existing documentation. For others, it can mean the creation of a full cybersecurity program from scratch. Some of the crucial elements of compliance with DFS 23 NYCRR 500 include:

Part 500.2 through 500.8 oversees the presence of a chief information security officer (CISO), penetration testing and vulnerability assessments, an audit trail, access privileges, and application security. 


Part 500.9 through 500.16 covers risk assessment, cybersecurity personnel and intelligence, third party service provider security policy, multi-factor authentication, limitations on data retention, training and monitoring, encryption of nonpublic information, and incident response planning. 


Part 500.16 through 500.23 requirements concern notices to superintendent, confidentiality, exemptions, enforcement, effective data, transitional periods, and severability. 


Expanded definitions of parts 500.2 through 500.23 are located here

M.A. Polce is aware of the struggles companies go through to become and remain compliant with these requirements. With experience and care, we help financial institutions implement comprehensive cybersecurity solutions to meet compliance, safeguard critical data, and enhance overall security. Connect with us to start transforming your financial organization’s cybersecurity.

Get Started!

You are now leaving MA Polce Consulting

MA Polce Consulting provides links to web sites of other organizations in order to provide visitors with certain information. A link does not constitute an endorsement of content, viewpoint, policies, products or services of that web site. Once you link to another web site not maintained by MA Polce Consulting, you are subject to the terms and conditions of that web site, including but not limited to its privacy policy.

You will be redirected to

Click the link above to continue or CANCEL