NYS DFS Cybersecurity Regulations

23 NYCRR 500



Are you ready?

Effective March 1, 2017, financial services companies in New York State have between 180 days and two years to comply with rigorous new cybersecurity regulations. Read them here.

The new regulations affect banks, consumer lenders, money transmitters, insurance companies, and certain other financial institutions.

Schedule a meeting with one of our consultants


What Are Your Key Responsibilities?

Cybersecurity Program

Your organization must establish a Written Information Security Program (WISP) that includes a Chief Information Security Officer (CISO) and a yearly risk assessment. See below for more information.

Risk Assessment

Your program must include a yearly risk assessment that identifies IT risks and strategies for mitigation. You may be exempt from implementing certain controls based on the assessment results.

Monitoring and Reporting

Once you have the results of your assessment, you must implement incident-monitoring controls and procedures, as well as an audit trail that keeps records for five years.

Annual Certification

Finally, you must file for annual certification of your cybersecurity program with the NYS Department of Financial Services.

What is a WISP?


Under 23 NYCRR 500, your organization must develop, implement, and maintain a written cybersecurity policy that includes the following:

  • Information security

  • Data governance and classification

  • Asset inventory and device management

  • Access controls and identity management

  • Business continuity and disaster recovery planning and resources

  • Systems operations and availability concerns

  • Systems and application development and quality assurance

  • Systems and network security

  • Systems and network monitoring

  • Physical securty and environmental controls

  • Customer data privacy

  • Vendor and Third Party Service Provider management

  • Risk assessment

  • Incident response

What kind of risk assessment?


The organization must conduct periodic assessments that identify cybersecurity risks. You must have policies and procedures in place that include:


  • Criteria for evaluating and categorizing risks

  • Criteria for assessing the confidentiality, integrity, security and availability of your systems

  • Requirements describing how risks will be mitigated or accepted, and how the cybersecurity program will address the risks

What needs to be monitored?


Any systems identified as at-risk by your Risk Assessment and incorporated into your cybersecurity program. This could include network appliances, databases, servers, and other systems.

What reports need to be generated?


Every organization under 23 NYCRR 500 compliance must implement an audit trail with a five-year retention period. This can include system logs, data-governance software, file audits, and anything else identified by the Risk Assessment.

Your Next Steps


We’d like to meet with you! Our certified security experts are ready to help you create a roadmap toward successful NYS DFS certification. They’ll help you prioritize critical aspects of compliance, and create a program that won’t just pass an audit – it will make your organization more secure.


Schedule a meeting with one of our consultants




About Promenet

Promenet Inc. is one of New York City’s premier providers of IT consultation, integration, and managed services. We were recently recognized by CRN magazine as one of the top 250 Managed Services Providers in North America for the fourth year in a row.