Skip to content.
Get Started Today
Contact Us Today

We respect your privacy and won’t share your information with outside parties. View our privacy statement.

Thank you for your interest in NAVEX. We’ll be in touch with you shortly. If you have any immediate questions, please give us a call on +44 (0)20 8939 1650.

NYDFS Cybersecurity Regulation

What is NYDFS?

The NYDFS Cybersecurity Regulation (23 NYCRR 500) is a set of regulations from the NY Department of Financial Services (NYDFS) that places cybersecurity requirements on all covered financial institutions.

Compliance with 23 NYCRR 500 - NYDFS Cybersecurity

New York financial services firms must comply with 23 NYCRR 500, a regulation from the New York Department of Financial Services (NYDFS) that places cybersecurity requirements on all covered NY financial institutions. NYCRR 500 was created in 2017 to protect consumers and institutions that do business in New York from increasingly sophisticated cybersecurity crimes targeting sensitive customer information. The regulation essentially creates a feedback look between a company’s cybersecurity programme to its risk assessments.

If cybercriminals are one concern for NY-based financial firms, meeting the compliance requirements for NYCRR 500 is another. The regulation requires audit trails for all required activities like policies, data forms, and assessments. Qualified cybersecurity experts are required to manage these risks and perform core cybersecurity functions, and the firm’s CISO must report to the board annually on the state of the cybersecurity programme. Additionally, the NYCRR 500’s annual statement of certification must be audit-ready and retained for five years.