Skip to Primary Navigation

Skip to main content

NYDFS Rule 500

Requires financial institutions to maintain a cybersecurity program reasonably designed to protect the confidentiality, integrity and availability of its information systems. A qualified CISO must oversee and implement such a program and produce an annual report addressing specific cybersecurity issues.

Rule Overview

Jurisdiction: New York

Regulator: NYDFS

Topic: Cybersecurity

Overview
Latest News
Further Reading

Key requirements added by the most recent amendments include, among other things:

  • independent audit requirements;
  • annual approval of the cybersecurity program by a senior officer or the covered entity’s senior governing body; and
  • timely reports by the Chief Information Security Officer to the senior governing body or senior officer on material cybersecurity issues.

Of note are the requirements connected to security policies and procedures required to ensure the security of systems and information accessible to or held by third-party service providers. These include requirements for:

  • identification and risk assessment
  • minimum cybersecurity practices
  • due diligence processes
  • periodic assessment
NYDFS Rule 500.2
Detailed cybersecurity program requirements
NYDFS Rule 500.3
Cybersecurity policy areas to be covered
NYDFS Rule 500.4
Governance including CISO function
NYDFS Rule 500.5
Vulnerability management including penetration testing and automated and manual systems reviews
NYDFS Rule 500.6
Audit trail
NYDFS Rule 500.7
Access privilege and management
NYDFS Rule 500.8
Application security
NYDFS Rule 500.9
Risk assessment
NYDFS Rule 500.10
Cybersecurity personnel and intelligence
NYDFS Rule 500.11
Third-party service provider security policy
NYDFS Rule 500.12
Multi-factor authentication utilized for any information systems with only limited exemptions available
NYDFS Rule 500.13
Asset management and data retention requirements
NYDFS Rule 500.14
Monitoring and training
NYDFS Rule 500.15
Encryption of nonpublic information
NYDFS Rule 500.16
Incident response and business continuity management
NYDFS Rule 500.17
Annual notices of compliance
NYDFS Rule 500.18
Confidentiality
NYDFS Rule 500.19
Exemptions
NYDFS Rule 500.20
Enforcement
Latest News More on NYDFS 

Further Reading

NYDFS Regulatory Activity - Financial Services Law Go to https://www.dfs.ny.gov/industry_guidance/regulatory_activity/financial_services#final-adoptions NYDFS Rule 500 Summary Go to https://nysba.org/NYSBA/Meetings%20Department/2018%20Annual%20Meeting/Coursebooks/Health%20Law/04%20Additional%20materials%20dfsrf500sapa.pdf NYDFS Rule 500 Amends (blackline) Go to https://www.dfs.ny.gov/system/files/documents/2023/10/rf_fs_2amend23NYCRR500_text_20231101.pdf