Hours of Operation: 24 Hours a Day, 7 Days a Week

GlobalSecurityIQ Logo

                   Contact  
(716) 475-9455
Contact Us Today

NYS DFS Cybersecurity Compliances

NYS DFS Cybersecurity Regulations

NYS

      NYS DFS Cybersecurity Requirements for Financial Services Companies
       23 NYCRR 500 – Deadlines for Insurance Companies
     http://www.dfs.ny.gov/about/cybersecurity.htm

March 1, 2017 - 23 NYCRR Part 500 becomes effective.

August 28, 2017 - 180-day transitional period ends. Covered Entities are required to be in
compliance with requirements of 23 NYCRR Part 500 unless otherwise specified.

September 27, 2017 * - Initial 30-day period for filing Notices of Exemption under 23 NYCRR
500.19(e) ends. Covered Entities that have determined that they qualify for a limited exemption
under 23 NYCRR 500.19(a)-(d) as of August 28, 2017 are required to file a Notice of Exemption
on or prior to this date.

February 15, 2018 * - Covered Entities are required to submit the first certification under 23
NYCRR 500.17(b) (Notices to Superintendent) on or prior to this date.

March 1, 2018 - One-year transitional period ends. Covered Entities are required to be in
compliance with the requirements of sections 500.04(b) (CISO report to board), 500.05
(Monitoring/Pen Testing), 500.09 (Risk Assessment), 500.12 (Multifactor Authentication) and
500.14(b) (Monitoring) of 23 NYCRR Part 500.

September 3, 2018 - Eighteen-month transitional period ends. Covered Entities are required to
be in compliance with the requirements of sections 500.06 (Audit Trail), 500.08 (Application
Security), 500.13 (Limitations on Data Retention), 500.14(a) (Training) and 500.15 (Encryption)
of 23 NYCRR Part 500.

March 1, 2019 - Two-year transitional period ends. Covered Entities are required to be in
compliance with the requirements of 23 NYCRR 500.11 (Third Party Service Provider Security Policy).

23 NYCRR 500 Requirements

                                    NYS DFS 23 NYCRR 500 requires all Covered Entities to be compliant with the following requirements:

  1. Risk Assessment, Section 500.09 (3/1/18)
  2. Third Party Service Provider Security Policy, Section 500.11 (3/1/19)
  3. Limitations on Data Retention, Section 500.13 (9/1/18)
  4. Notices to Superintendent, Section 500.17 (b-2/15/18)
  5. Cybersecurity Program, Section 500.02 (8/28/17)
  6. Cybersecurity Policy, Section 500.03 (8/28/17)
  7. Access Privileges, Section 500.07 (8/28/17)

Under Section 500.19, some Covered Entities are exempt from the following requirements: 

8. Chief Information Security Officer (CISO)/CISOaaS, Section 500.04 (b-3/1/18)
9. Continuous Monitoring or periodic Penetration Testing and Vulnerability Assessments, Section 500.05 (3/1/18)
10. Audit Trail, Section 500.06 (9/1/18)
11. Application Security, Section 500.08 (9/1/18)
12. Cybersecurity Personnel and Intelligence, Section 500.10 (8/28/17)
13. Multi-factor Authentication, Section 500.12 (3/1/18)
14. Training and Monitoring, Section 500.14 (b-3/1/18) (a-9/1/18)
15. Encryption of Nonpublic Information, Section 500.15 (9/1/18)
16. Incident Response Plan, Section 500.16 (8/28/17)