The NYDFS NYCRR 500 regulation is a cornerstone for cybersecurity in the New York financial sector, establishing some of the highest standards for information security regulations in the US.

If your financial organization operates in New York, NYDFS NYCRR 500 has significant implications for your business. Yet organizations often struggle to understand the regulation’s specific cybersecurity requirements, annual certification process, incident reporting, and the implications of non-compliance.

This article offers a roadmap for organizations navigating the complexities of NYDFS NYCRR 500. We’ll explain what NYDFS NYCRR 500 is, who does and doesn’t need to comply, and key security requirements. We’ll also share a step-by-step checklist to help you achieve and maintain compliance with the 2023 amendments.

NYDFS NYCRR 500 explained

The NYDFS Cybersecurity Regulation, also known as 23 NYCRR Part 500, is a set of regulations from the New York State Department of Financial Services that establishes cybersecurity requirements for all covered financial institutions. 

The regulations were first issued in March 2017 and are designed to protect New York's financial services industry and its consumers against cyberattacks and data breaches. 

In November 2023, NYDFS announced significant amendments to NYDFS NYCRR 500, with implications for covered entities’ cybersecurity programs, governance, and reporting practices. These amendments have an effective date of April 29, 2024.

Who needs to comply with NYDFS NYCRR 500?

NYDFS NYCRR 500 regulations apply to all DFS-regulated entities, including banks, mortgage companies, insurance companies, and other financial services institutions licensed to operate in New York. Compliance with these regulations is mandatory, and they represent one of the more stringent state-level cybersecurity frameworks in the United States.

NYDFS NYCRR 500 designates three different company types, with specific requirements and reporting processes for each. 

Covered entities

Covered entities include all DFS-regulated organizations, including:

• State-chartered banks
• Credit unions
• Foreign banking organizations licensed to operate in New York
• Licensed lenders
• Mortgage companies
• Insurance companies 
• Holding companies
• Investment companies 
• Trust companies
• Budget planners
• Check cashers
• Health insurers
• Money transmitters
• Premium finance agencies 

Class A businesses

2023 amendments to NYDFS NYCRR 500 introduced a new category called "Class A" companies, which applies to covered entities with significant revenue or employee count. These companies now have additional obligations, including independent audits of their cybersecurity programs and stronger monitoring and access management requirements​​.

Class A Covered Entities have at least $20 million in gross annual revenue in each of the last two fiscal years from all business operations and either: 

• Employed at least 2,000 employees averaged over the last two fiscal years
• Generated over $1 billion in gross annual revenue in each of the last two fiscal years from all business operations

Small businesses

Section 500.19, also known as the Small Business Exemption, exempts certain small businesses from specific NYDFS NYCRR 500 requirements. There are three ways a covered entity can qualify for limited exemption:

• The covered entity and all of its affiliates combined have fewer than 20 employees and independent contractors
• The covered entity and all of its affiliates combined generated less than $7.5 million in gross annual revenue in each of the last three years from all business operations in New York
• The covered entity and all of its affiliates combined hold less than $15 million in year-end total assets

Qualified covered entities must file a Notice of Exemption through the DFS Portal. 

NYDFS NYCRR 500 cybersecurity requirements for financial services companies

While NYDFS NYCRR 500 is a comprehensive cybersecurity regulation, it focuses on a few main principles: understanding your company’s specific risks, building an effective cybersecurity program that protects against them, and establishing transparency and accountability around your efforts.

Let's dive into the key requirements of NYDFS NYCRR 500, including the 2023 amendments that expanded its provisions.

Complete periodic risk assessments

Every organization faces unique risks and threats. Entities are required to conduct periodic risk assessments to understand their specific risk landscape and inform their cybersecurity initiatives. The assessment should be regularly updated to address any changes to the information systems, nonpublic information, or business operations.

Establish and maintain a cybersecurity program

Covered entities must use the risk assessment to establish and maintain a cybersecurity program that can protect the confidentiality, integrity, and availability of their information systems. This program must be able to detect, protect against, respond to, and recover from cybersecurity events.

As part of the cybersecurity program, covered entities need to implement specific policies and processes. These include:

• Information Security Policy: Establishes data governance and classification guidelines to protect information from unauthorized access, disclosure, alteration, and destruction.
• Access Control Policy: Defines who can access specific nonpublic information and systems, how user access privileges are granted, and under what conditions.
• Business Continuity and Disaster Recovery Plan: Outlines procedures for maintaining business operations and recovering from security events with minimal impact.
• Incident Response Plan: Details the steps to detect, respond to, and recover from cybersecurity incidents to minimize damage. Under 2023 amendments, Incident response plans must now include root cause analysis and updates to plans based on incidents​​.
• Data Retention and Disposal Policies: Specifies how long data is stored and the secure methods for disposing of nonpublic information that is no longer needed for business operations.
• Third-Party Service Provider Security Policy: Sets security expectations and requirements for third parties that have access to the entity's systems and data. This includes setting minimum cybersecurity standards for vendors and conducting due diligence to evaluate the strength of their cybersecurity practices.
• Asset Inventory and Device Management Policy: Involves maintaining a detailed inventory of IT assets and implementing controls for their secure management.
• Vulnerability Management Policy: Outlines how an organization identifies, assesses, prioritizes, and addresses vulnerabilities in its systems and software. Also defines processes for regular vulnerability scans, risk assessments, patch management, and remediation strategies.

Appoint qualified cybersecurity leadership

While NYDFS NYCRR 500 originally required covered entities to report compliance to the board or senior officers, the 2023 amendments now give the person{s) responsible for overseeing cybersecurity the official title of “senior governing body.” 

The amendments also specify this senior governing body’s key responsibilities, which include:

• Possessing sufficient expertise in cybersecurity to exercise the required oversight (can include the use of advisors)
• Developing, implementing, and maintaining the covered entity’s cybersecurity program
• Regularly collecting and reviewing management reports regarding cybersecurity 
• Reviewing and approving the covered entity’s cybersecurity policies on at least an annual basis
• Ensuring that management dedicates sufficient resources to implement and maintain an effective cybersecurity program

Covered entities also need to designate a qualified individual to serve as CISO (or similar high-level governance), who is responsible for overseeing the implementation of the cybersecurity program and enforcing its policies. 

CISOs must regularly report to the senior governing body on significant cybersecurity events and changes to the cybersecurity program. Additionally, CISOs, along with the highest-ranking executive, need to file an annual notice of compliance with NYDFS. This notice either certifies material compliance with Part 500 requirements or acknowledges areas of non-compliance​​.

Lastly, covered entities must employ cybersecurity personnel to manage the entity’s cybersecurity risks and perform core cybersecurity functions. Cybersecurity personnel should receive regular training on the latest cybersecurity threats and countermeasures, including social engineering attacks.

Implement technical security controls

A strong cybersecurity posture involves putting specific safeguards in place to protect data security and privacy. Under NYDFS NYCRR 500, these security controls include:

• Multi-factor authentication: Multi-factor authentication or risk-based authentication must be enabled to prevent unauthorized access to the covered entity’s information systems.
• Encryption of nonpublic information: Covered entities must encrypt nonpublic information held or transmitted both in transit and at rest. Under the 2023 amendments, organizations can no longer use compensating controls for encryption of nonpublic information in transit over external networks.
• Systems and network security: Entities must implement protective measures and continuous surveillance to detect and respond to threats to IT infrastructure.
• Application security: Covered entities must have written procedures, guidelines, and standards to ensure the security of any applications developed in-house, as well as procedures for evaluating or testing the security of applications developed externally.
• Physical and environmental controls: Covered entities must protect the physical premises and infrastructure that house critical IT systems against unauthorized access and environmental hazards.
• Data privacy controls: Covered entities must also take steps to protect personal information from unauthorized access and disclosure.
• Security awareness training: Personnel must be trained on cybersecurity best practices, including threat awareness, social engineering tactics, and safe handling of sensitive information.

Continuously monitor and test cybersecurity program effectiveness

Covered entities are required to conduct ongoing surveillance of systems to detect cybersecurity threats and vulnerabilities. Covered entities must also conduct annual penetration testing and bi-annual vulnerability assessments to test the effectiveness of their cybersecurity programs and implement a remediation process that ensures a timely response to any identified vulnerabilities. 

2023 amendments specify that annual penetration testing must be done from both inside and outside the information systems' boundaries. There are also new requirements for monitoring privileged access and implementing endpoint detection and response solutions​​.

Create audit trail and reporting procedures

NYDFS NYCRR 500 requires covered entities to maintain an audit trail system that can reconstruct financial transactions and log access to critical systems for accountability and traceability. This system must be designed to detect and respond to cybersecurity events, and records need to be kept for a minimum of five years.

Covered entities are also required to submit an annual Certification of Compliance, and Class A covered entities to submit an independent annual audit report. 

Covered entities must notify the NYDFS Superintendent of Financial Services of any cybersecurity events that have a reasonable likelihood of impacting normal operations within 72 hours of identifying the event. 2023 amendments also require covered entities to notify NYDFS of any incidents at third-party service providers, as well as any extortion payments made in connection with a cybersecurity event​​.

How do organizations certify NYDFS NYCRR 500 compliance?

Organizations are required to prove compliance with NYDFS NYCRR 500 on an annual basis. Depending on the type of covered entity, this involves either submitting a Certificate of Compliance to the NYDFS superintendent or completing an independent audit. 

Covered entities: Annual certificate of compliance

Covered entities must certify their compliance annually in April. This process involves submitting a statement to the NYDFS affirming that the entity complies with the applicable provisions of the regulation. 

Here's how the certification process typically works:

Step 1: Review and Assessment: The first step for a covered entity is to conduct a thorough review and assessment of its cybersecurity program and practices to ensure they satisfy NYDFS NYCRR 500 requirements. This may involve an internal security audit or engaging with external cybersecurity experts to identify any gaps or areas for improvement.

Step 2: Senior Governing Body Approval: The findings from the review and any actions taken to address gaps should be documented and presented to the entity's senior governing body for review and approval.

Step 3: Submission to NYDFS: Once the senior governing body approves, the entity must prepare a Certification of Compliance attesting to its adherence to regulatory requirements for the covered calendar year.

The completed Certification of Compliance must be submitted via the NYDFS Portal by the specified deadline, which is typically April 15 of the following year. This year the deadline has been pushed to April 29, 2024 due to the recent updates. A Certification of Compliance for 2023 will need to be submitted by April 29, 2024.

Step 4: Record Keeping: Covered entities are required to maintain all records, schedules, and data supporting the certificate for five years. This documentation should be available for inspection by the NYDFS upon request and may be needed in case of a regulatory examination or audit.

Class A companies: External compliance audit

Class A covered entities are required to undergo an annual independent compliance audit. This independent audit can be conducted by either an internal or external auditor, as long as they are a truly neutral third party. This means they must be free to make decisions without being influenced by the covered entity, its owners, managers, or employees. The audit will be based on the entity’s risk assessment and verify compliance with NYDFS NYCRR 500 requirements. 

The final compliance audit report is submitted to the NYDFS through the online portal. 

How is NYDFS NYCRR 500 enforced? 

Compliance is monitored and enforced through a combination of self-certification, regulatory audits, and mandatory reporting. For example, covered entities that fail to submit a Certification of Compliance or report cybersecurity events to NYDFS may be subject to violation penalties.

The NYDFS also has the authority to audit covered entities to assess compliance, but generally, audits are only required for Class A companies. These audits can include a review of policies and procedures, an inspection of cybersecurity practices, and an evaluation of the overall effectiveness of the cybersecurity program.

If the NYDFS identifies areas of non-compliance during an examination or audit, it may require the covered entity to take corrective actions such as revising policies, enhancing security measures, or implementing additional controls.

If a covered entity fails to implement corrective actions, the NYDFS may impose penalties, including fines. The severity of these penalties can vary based on the extent of the non-compliance and the potential risk posed to consumers and the financial system.

Historically, NYDFS has issued significant violation penalties, including:

• Robinhood Crypto: $30 million
• OneMain Financial Group: $4.25 million
• Residential Mortgage Services: $1.5 million
• SA Stone Wealth Management: $1.35 million
• First American Title Insurance Company: $1 million

In its 2023 amendment to NYCRR 500, NYDFS reaffirmed its authority to enforce regulatory requirements, emphasizing that even a single act of non-compliance could constitute a violation​​.

Simplify NYDFS NYCRR 500 compliance with automation

Compliance automation software can streamline the process of adhering to NYDFS 500 by continuously monitoring systems and controls, automating manual compliance tasks, and simplifying risk assessment and reporting processes. 

Platforms like Secureframe make it easier for organizations to maintain compliance and focus on their core activities:

• End-to-end risk management: Save time and resources on periodic NYDFS 500 risk assessments by automating the process with artificial intelligence. Comply AI for Risk produces an inherent risk score, treatment plan, and residual risk score to improve your risk awareness and response.
• Policy generation: Leverage generative AI to save hours writing and refining your NYDFS NYCRR 500 policies. Easily edit and revise policies using the AI-enhanced text editor to create compliant policies that align with the tone and voice of your organization.
• Continuous monitoring and evidence collection: Hundreds of pre-built integrations monitor your tech stack and IT infrastructure to flag failing controls and automatically collect evidence of compliance.
• Vendor and asset management: Reduce third-party risk by tracking your vendors’ security posture. Store vendor reviews and security questionnaires, complete vendor risk assessments, and get recommendations to reduce your risk exposure. 
• Cross-mapping controls: Simplify and speed up compliance with other in-demand frameworks such as SOC 2, ISO 27001, and PCI DSS by applying the overlapping controls you’ve implemented for NYDFS NYCRR 500 across multiple security standards.
• Regulatory change management: Our team of compliance experts monitor changes in the regulatory landscape to keep our platform up-to-date, assist organizations through transitional periods, and ensure continued compliance with updated regulations
• Security Training: Our in-house, included training will meet NYDFS NYCRR 500 training requirements. 

To learn more about Secureframe’s capabilities, schedule a personalized demo with a product expert.