NYDFS

Summary

The NYDFS Cybersecurity Regulation (23 NYCRR 500) is a set of regulations from the New York State Department of Financial Services (NYDFS) that places cybersecurity requirements on all covered entities. The version used in this section is NYDFS, February 2017.

Definitions

Definition	Requirements
NYDFS-500_2. Cybersecurity program	161. Define secure default options 266. Disable insecure functionalities 273. Define a fixed security suite 062. Define standard configurations 079. Record exact occurrence time of events
NYDFS-500_3. Cybersecurity policy	331. Guarantee legal compliance
NYDFS-500_5. Penetration testing and vulnerability assessments	376. Register severity level 377. Store logs based on valid regulation
NYDFS-500_6. Audit trail	322. Avoid excessive logging 376. Register severity level 377. Store logs based on valid regulation 084. Allow transaction history queries
NYDFS-500_7. Access privileges	378. Use of log management system
NYDFS-500_10. Cybersecurity personnel and intelligence	142. Change system default credentials 155. Application free of malicious code 314. Provide processing confirmation 315. Provide processed data information 316. Allow rectification requests 318. Notify third parties of changes 378. Use of log management system 025. Manage concurrent sessions
NYDFS-500_11. Third party service provider security policy	262. Verify third-party components 302. Declare dependencies explicitly
NYDFS-500_12. Multi-factor authentication	229. Request access credentials 231. Implement a biometric verification component 264. Request authentication 319. Make authentication options equally secure 362. Assign MFA mechanisms to a single account
NYDFS-500_13. Limitations on data retention	183. Delete sensitive data securely 317. Allow erasure requests
NYDFS-500_14. Training and monitoring	075. Record exceptional events in logs 079. Record exact occurrence time of events 085. Allow session history queries
NYDFS-500_15. Encryption of nonpublic information	147. Use pre-existent mechanisms 213. Allow geographic location 224. Use secure cryptographic mechanisms 252. Configure key encryption 273. Define a fixed security suite 338. Implement perfect forward secrecy
NYDFS-500_16. Incident response plan	363. Synchronize system clocks 378. Use of log management system 051. Store source code in a repository

Last updated

2023/09/18