NYDFS Cybersecurity Compliance Requirements

Soteria Cybersecurity
3 min readMar 30, 2017


Due to the ever-growing threat of cyber attacks, businesses operating in the NY State financial services and insurance industries are required to establish cybersecurity programs. The New York State Department of Financial Services (NYDFS) passed a set of regulations (23 NYCRR 500) requiring banks, insurance companies, and other financial services institutions supervised by NYDFS to establish and maintain cybersecurity programs.

The regulation was made final March 1, 2017, with the first phased sections requiring compliance by Covered Entities no later than August 28, 2017. By February 15, 2018, firms must prepare and submit to the Superintendent a Certification of Compliance.

Interested in knowing if your business is a Covered Entity subject to this ruling? Use the NYDFS business look-up tool. Any firms supervised by the NYDFS are potentially subject to the new ruling.

4-Phase Rollout of NYDFS Cybersecurity Regulation

NYDFS Cybersecurity Compliance Requirements are to be rolled out in 4 phases over the course of 2 years. The security activities that must be addressed as a part of each phase are listed below.

Phase 1: Covered Entities must comply with the following requirements by August 28, 2017:

  1. Cybersecurity Program: Develop a cybersecurity program designed to protect the confidentiality, integrity, and availability of your firm’s information systems.
  2. Cybersecurity Policy: Develop policies to protect IT systems and nonpublic information.
  3. Designating a Chief Information Security Officer: Designate a qualified individual from within your firm or through a third-party to oversee and implement your cybersecurity program.
  4. Access Privileges: Limit users access to your firm’s IT systems and nonpublic information as appropriate.
  5. Cybersecurity Personnel and Intelligence: Utilized qualified individuals to manage your firm’s security risk and oversee the performance of key security functions.
  6. Incident Response Plan: Establish a plan to promptly respond to a security incident and recover any lost information.
  7. Notices to Superintendent: Notify superintendent in the event of a security incident.

Phase 2: Covered Entities must comply with the following requirements by March 1, 2018:

  1. Risk Assessment: Conduct a security risk assessment on IT systems and nonpublic information and update as necessary.
  2. Penetration Testing and Vulnerability Assessments: Conduct an annual pen test and bi-annual vulnerability assessments to assess the effectiveness of your cybersecurity program.
  3. CISO Annual Reporting Requirements: CISO must report a cybersecurity report to the firm’s board of directors or senior officers.
  4. Multi-Factor Authentication: Users must use multi-factor authentication methods to access internal networks from an external network.
  5. Incident Notices to Superintendent: Submit a written statement to the NYDFS superintendent to verify their compliance with NYDFS cybersecurity requirements by February 15 of each year.
  6. Training and Monitoring — Provide Awareness Training to Personnel: Provide regular security awareness training to employees.

Phase 3: Covered Entities must comply with the following requirements by September 1, 2018:

  1. Audit Trail: Maintain security systems that can log and reconstruct material financial transactions for the purpose of detecting and responding to incidents.
  2. Application Security: Establish written procedures and guidelines for the secure development, monitoring, and assessment of applications created in-house.
  3. Limitations on Data Retention: Establish policies and procedures for securely disposing of nonpublic information.
  4. Training and Monitoring — Implementing risk-based policies and procedures and controls: Implement risk-based policies and procedures to detect unauthorized access of your use of nonpublic information.
  5. Encryption of Nonpublic Information: Encrypt nonpublic information while at rest and while in transit over external networks.

Phase 4: Covered Entities must comply with the following requirements by March 1, 2019:

  1. Third Party Service Provider Security Policy: Develop written policies to ensure nonpublic information is secure when shared with third-party service providers.


Limited exemptions to the NYDFS Cybersecurity ruling exist for firms that meet certain qualifications. To learn if your firm qualifies for NYDFS exemptions, contact Soteria. If your firm is eligible for exemptions under the NYDFS cybersecurity ruling, your firm is still required to file appropriate exemption forms with the NYDFS.

Soteria Can Help You Reach NYDFS Cybersecurity Compliance

Whether you are a large firm with existing security or a smaller firm needing to build a security program from the ground up, Soteria’s experts are available to provide security consulting and solutions to assist your business in reaching compliance. As a full-service cyber security consulting firm, Soteria’s experts strategically guide clients to addressing their compliance requirements in a manner that aligns with their resources. From creating policies and training to performing security assessments, Soteria’s team is equipped and ready to help facilitate your compliance with any section or unique requirement of NYDFS. Contact Soteria to get started with developing a strategy to address you NYDFS security requirements.



Soteria Cybersecurity

We are a client-focused organization providing expert advisory, consulting, and tailored solutions to assist in preventing and responding to security incidents.