NY DFS COMPLIANCE FOR DUMMIES 
Get A FREE No-Obligation Technology and DFS Assessment

STANDARD COMPANIES

In November 2023, New York updated its cybersecurity law, NY DFS 23 NYCRR 500, affecting all financial firms in the state, and those financial companies nationwide with customers from New York.
With the April 15th compliance deadline near, it’s important to understand and apply these new changes.

What do you need to comply with?

The amendments have expanded the number of, and scope of cybersecurity requirements for compliance. Each part of 23 NYCRR 500 cybersecurity law has been further defined and specified with additional details and expanded implementation necessities regarding each section’s cyber requirement.

BEFORE:

500.02 Cybersecurity Program
  • Develop and maintain a robust cybersecurity program

 

500.03 Cybersecurity Policy
  • Implement a comprehensive cybersecurity policy

 

500.04 Cybersecurity Governance
  • Implement a comprehensive cybersecurity policy

 

500.05 Vulnerability Management
  • Implement a comprehensive cybersecurity policy

 

500.06 Audit Trail
  • Implement a comprehensive cybersecurity policy

 

500.07 Access Privileges
  • Regulate employee access

 

500.08 Application Security
  • Implement a comprehensive cybersecurity policy

 

500.09 Risk Assessment
  • Institute procedures to assess and test the security of externally developed applications.

 

500.10 Cybersecurity Personnel and Intelligence
  • Implement a comprehensive cybersecurity policy
500.11 Third Party Service Provider Security Policy
  • Implement policies and procedures to ensure the security of information held by third-party service providers

 

500.12 MFA Multifactor Authentication
  • Implement a comprehensive cybersecurity policy

 

500.13 Limitations on Data Retention
  • Procedure for how and when PII (Personally Identifiable Information) data is disposed of

 

500.14 Monitoring and Training
  • Implement a comprehensive cybersecurity policy

 

500.15 Encryption
  • Implement a comprehensive cybersecurity policy

 

500.16 Incident Response Plan
  • Implement a comprehensive cybersecurity policy

 

500.17 Notices to Superintendent
  • Be able to file reporting within 72 hours of data breach or hack

 

500.18 – 500.23
  • Confidentiality, Enforcements, Dates, Periods, Severability.

NEW REQUIREMENTS AS OF NOV 2023:

500.02 Cybersecurity Program
  • Develop and maintain a robust cybersecurity program
  • Document own cyber program and cyber programs by affiliates

 

500.03 Cybersecurity Policy
  • Implement a comprehensive cybersecurity policy based on risk assessments
  • Maintained and implemented by employee or third-party with adequate experience
  • Incident response, notification, vulnerability management
  • Asset Inventory and Device Management, including end of life management
  • Network Monitoring
  • Security Awareness and training

 

500.4 Cybersecurity Governance
  • CISO, if third party, must still work in tandem with an entities senior staff member
  • Must include plans for remediating material inadequacies
  • Report timely on cybersecurity issues or changes to cyber program
  • Senior body of company must now have sufficient understanding of cybersecurity matters to exercise oversight, may include use of advisors
  • Require development of cybersecurity program
  • Regularly receive and review reports
  • Confirm that sufficient allocation of resources allows for maintaining cyber program

 

500.5 Vulnerability Management
  • Must develop written policies and procedures
  • Must do annual Penetration Testing both inside and outside
  • Must do automated scans and manual review of systems regularly AND after any material system changes
  • Remediate vulnerabilities in a timely fashion

 

500.6 Audit Trail
  • Maintain systems for audit trails that can reconstruct material financial transactions
  • Designed to detect and respond to cybersecurity events
  • Maintain records for no fewer than 5 and 3 years respectively

 

500.07 Access Privileges and Management
  • Regulate employee access
  • Multifactor Authentication implementation
  • Remote devices securely configured or disabled
  • Proper termination of accounts and access following departures

 

500.8 Application Security
  • Written policies and standards to ensure secure development practices for in-house developed applications
  • Reviewed, updated by the CISO at least annually

 

500.09 Risk Assessment
  • Institute procedures to assess and test the security of internal and external applications
  • Must be updated annually, AND any time a change in business or technology impacts cyber risk
  • Impact assessment must be conducted
  • Tailored to specific company circumstances for testing

 

500.10 Cybersecurity Personnel and Intelligence
  • Utilize qualified cybersecurity personnel or third party provider sufficient to oversee compliance regulation
  • Provide updated and training
  • Verify cybersecurity personnel maintain current knowledge of threats and countermeasures

 

500.11 Third Party Service Provider Security Policy
  • Implement policies and procedures to ensure the security of information held by third-party providers
  • Risk assess third party providers, repeated periodically
500.12 MFA Multifactor Authentication
  • MFA (Token or App based) implemented for local and remote access to systems
  • CISO reviews controls periodically, at minimum annually

 

500.13 Access Management and Data Retention
  • Written policies and procedures for complete and accurate documentation of all assets​
  • Owner, Location, Classification, Support Expiration Date, Recovery Time Objectives, Update Frequency​
  • Policies and procedures for secure asset disposal

 

500.14 Monitoring and Training
  • Monitor activity of authorized users and detect unauthorized access
  • Risk based controls to protect against malicious code including filtering web traffic and email
  • Periodic but minimum annually conduct cybersecurity awareness training

 

500.15 Encryption
  • Written policy requiring encryption that meets industry standards to protect non-public information in both transit and external networks and at rest

 

500.16 Incident Response and Business Continuity Management
  • Written proactive measures to investigate and mitigate events
  • Business continuity and disaster recovery plan
  • Copies of the plans are distributed and available to all staff
  • Provide training to all employees responsible for implementing the plans
  • Annually test plans with staff and revise plan as necessary
  • Test ability to restore from backs
  • Maintain backups necessary to restore material operations that are protected from unauthorized alterations or destruction

 

500.17 Notices to Superintendent
  • Be able to file reporting within 72 hours of data breach or hack under expanded “events”, including third party providers or affiliates​ 24 hour reporting of extortion payments​
  • 30 day reporting explaining why payment was necessary and what alternatives were considered

 

500.17 Continued – Proof of Compliance
  • Written statement certifying DFS compliance with ALL requirements, demonstrated by data and document proof ​
  • Written statement failing DFS compliance, where and why compliance was not achieved, timeline for remediation ​
  • Produce documentation of compliance upon request to the Superintendent

 

500.20 Enforcement
  • Any failure of any requirement for 24 hour period, and failure to secure or prevent unauthorized access is NON-Compliance

 

500.20(c) Penalty for Violations
  • Determined by the Superintendent based on 16 factors

 

500.18 – 500.24
  • General Confidentiality, Enforcements, Dates, Periods, Severability
DFS COMPLIANCE DONE FOR YOU2

Let us handle all of the paperwork and implementation that will bring your company into Full DFS Compliance, alongside technical optimization so you run more smoothly than ever before.

Hand off the stress and frustration of DFS Compliance to an expert Cybersecurity and Compliance Team that works specifically with companies like yours and understands your unique day to day business operations and technical needs.

Start with a FREE No-Nonsense Technology and DFS Compliance Assessment to gain the knowledge of where you stand and what you need. You also need one for certifying proof of DFS Compliance so it’s two birds with one stone – knowledge and power.


Claim your FREE No-Nonsense Technology and DFS Compliance Asssessment by CLICKING HERE.

5 Biggest Changes
to DFS Law 

Multi Factor Authentication

  • Utilize MFA for local access to laptops and computers
  • Remote access, Office 365 and More
  • App or Token Based MFA preferred, Text-Based is no longer secure or recommended

Endpoint Security

  • Endpoint security is a cybersecurity approach that focuses on protecting individual devices, such as computers, smartphones, and servers, from various cyber threats like malware and unauthorized access.
  • It encompasses a combination of measures such firewalls, and intrusion detection systems to secure these devices and safeguard an organization's data and network integrity.

Asset Management and Application Control

  • Must be able to track owner, location, sensitivity, support expiration date, and recovery time objectives for EACH asset (laptop, phone, pc)
  • Regularly update and validate the asset inventory
  • Policy for secure disposal of nonpublic information
  • Have in place the ability to scan and detect malicious applications and prevent them from being installed to systems.

Penetration Testing

  • By simulating real-world cyberattacks, it provides a critical means for agencies to discover and rectify security weaknesses, ultimately improving overall security posture, reducing the risk of breaches, and safeguarding sensitive data and customer trust.

PROOF OF CYBERSECURITY IMPLEMENTATION

  • Certifies entity complied during prior calendar year
  • Must provide data and documentation to accurately demonstrate compliance in the form of reports, certifications or otherwise
  • Signed by CISO (Chief Information Security Officer) and CEO responsible

NEW ENFORCEMENT RULE

500.20 Enforcement: Any failure of any requirement for 24 hour period, and failure to
secure or prevent unauthorized access is NON-Compliance
There is no “full exemption” of the law, only limited exempt and not exempt at all. 

Compliance Filing Deadline

All entities must file Certification of Compliance and Proof by April 15th, 2024.

  • 00Days
  • 00Hours
  • 00Minutes
  • 00Seconds
Entities must now also report to DFS where they are NOT in compliance

Entities must now also report to DFS where they are NOT in compliance, why they were not in compliance, a proof of plan for coming into compliance for those failings, and a date of which those compliance items will be implemented.

Our Free Compliance Assessment Will Give You The
Answers You Want, The Certainty You Need.

This Assessment will provide verification from a Qualified Third Party on your NY DFS Compliance posture, whether or not your current IT company is doing everything they should be, and if your business is at serious risk for hacker attacks, data loss and extended downtime, as well as how to solve these issues.

Walter Contreras, registered NY DFS instructor, Cybersecurity expert, and CEO of Motiva Networks understands how the world’s digital transformation is impacting small to medium sized businesses. With over 25 years of experience in information technology and cybersecurity, his vision is clear – safeguarding and strengthening the digital backbone of business owners.

Walter Contreras photo