New York’s Cybersecurity Requirements for Financial Services Companies


In response to the increasing cybersecurity threat posed to information and financial systems, the New York State Department of Financial Services (DFS) has passed the State of New York’s Cybersecurity Requirements for Financial Services Companies (23 NYCRR 500). This law took effect on March 1, 2017 in an effort to protect customer information, as well as the IT systems of regulated entities.

What does this mean for you?

If you are a financial services organization licensed and/or regulated by the New York State DFS, you are now required to assess your specific security risk profile and design a program that addresses your organization’s risks, as well as file an annual certification that confirms you are in compliance with the regulations.

What are the requirements?

The complete list of requirements can be found here, but here is a partial list:

  • Implement a cybersecurity program that can:
    • Identify and assess internal and external cybersecurity risks
    • Detect and respond to cybersecurity events
    • Fulfill applicable regulatory reporting obligations
  • Designate a Chief Information Security Officer (CISO) and utilize qualified cybersecurity personnel (may be from a third party service provider)
  • Continuous monitoring or periodic penetration testing and vulnerability assessments
  • Provide and require all personnel attend regular cybersecurity awareness training
  • Secure applications by ensuring the use of secure development practices for in-house developed applications, and implement procedures for assessing and testing the security of all externally developed applications
  • Assess risk to non-public information and information systems accessible or held by third parties, and conduct third-party security assessments at least annually
  • Implement controls, including encryption, to protect non-public data in transit and at rest
  • Establish an incident response plan

What are the deadlines?

Download this free infographic to get a list of the deadlines you need to meet.


How can EventTracker help?

Download our free Solution Brief to see how EventTracker can help you meet the requirements of 23 NYCRR 500.

Solution Brief

Request a Demo

Take a guided tour of EventTracker to see how our solution meets your specific business needs.

Start a Trial

Ready to see it in action? Try EventTracker for 30 days in your organization.

Contact Sales

Security is complex. We can make it simpler. Talk to us about your specific security challenges.