Compliance with 23 NYCRR 500 - NYDFS Cybersecurity
New York financial services firms must comply with 23 NYCRR 500, a regulation from the New York Department of Financial Services (NYDFS) that places cybersecurity requirements on all covered NY financial institutions. NYCRR 500 was created in 2017 to protect consumers and institutions that do business in New York from increasingly sophisticated cybersecurity crimes targeting sensitive customer information. The regulation essentially creates a feedback look between a company’s cybersecurity program to its risk assessments.
If cybercriminals are one concern for NY-based financial firms, meeting the compliance requirements for NYCRR 500 is another. The regulation requires audit trails for all required activities like policies, data forms, and assessments. Qualified cybersecurity experts are required to manage these risks and perform core cybersecurity functions, and the firm’s CISO must report to the board annually on the state of the cybersecurity program. Additionally, the NYCRR 500’s annual statement of certification must be audit-ready and retained for five years.