Definition and purpose

Enacted to address the increasing threat landscape in the financial sector, the NYDFS NYCRR 500 establishes standards to protect sensitive information and maintain the integrity of financial systems.

The purpose of this cybersecurity regulation is to promote the protection of customer information as well as the information technology systems of regulated entities.

Governing Body

The New York State Department of Financial Services (NYDFS) is the governing body responsible for overseeing and enforcing the NYCRR 500. The Superintendent of Financial Services plays a key role in implementing and maintaining the regulation.

Last updated

Since enacted in 2017, the NYDFS NYCRR 500 has been amended twice, once in April 2020 and most recently in November 2023.

Applies to

The regulation applies to a broad range of financial institutions operating in the state of New York, including banks, insurance companies, and other financial services providers.

More specifically, it applies to partnerships, corporations, branches, agencies, and associations operating under, or required to operate under, a license, registration, charter, certificate, permit, accreditation, or similar authorization under the Banking Law, the Insurance Law, or the Financial Services Law.

Controls and requirements

The NYDFS NYCRR 500 includes a comprehensive set of controls and requirements, covering areas such as:

• Cybersecurity Policy: Implementation of a written policy or policies for the protection of the entity’s information systems and nonpublic information stored on those information systems.
• Vulnerability management: Implement written policies and procedures for vulnerability management that are designed to assess and maintain the effectiveness of its cybersecurity program. 
• Access privileges and management: Limit access privileges according to the principle of least privilege and monitor privileged access activity.
• Risk assessment: Conduct a periodic risk assessment of the covered entity’s information systems.

Please refer to the official documentation for a detailed list of controls and requirements.

Audit type, frequency, and duration

The regulation mandates regular audits to assess compliance with its cybersecurity requirements. Previous versions of the regulation required external parties to conduct an independent audit. Now most covered entities can be audited through external or internal audit teams. The frequency of audits may vary, but they are often conducted annually at least. Senior management, which is responsible for the organization’s cybersecurity program, must file an annual certification confirming compliance with the NYDFS Cybersecurity Regulation.

The duration of the audit process depends on the size and complexity of the financial institution but typically spans several weeks to ensure a thorough examination of cybersecurity controls and practices.