NYDFS: Are you ready for the September 3 NYDFS deadline?

With a month until the NYDFS (New York State Department of Financial Services) deadline for its Cybersecurity Regulation (23 NYCRR 500), we have provided a checklist of the requirements that organizations need to meet by September 3.


  • 500.06 – Audit Trail
  • 500.08 – Application Security
  • 500.13 – Limitations on Data Retention
  • 500.14(a) – Training and Monitoring
  • 500.15 – Encryption of Nonpublic Information

Comply with NY’s cybersecurity regulations with ISO 27001

ISO 27001 is the international standard that sets out the requirements of a best-practice ISMS (information security management system). Clauses 4.2 and 4.3 of ISO 27001 mandate that an ISMS meets all legal, regulatory, and contractual requirements, which, for covered entities, includes the NYDFS Cybersecurity Regulation. Take a look at our table below to see where 23 NYCRR 500 maps to ISO 27001 for the September requirements:

NYDFS ISO 27001:2013 clauses and controls

500.06 – Audit Trail



Clauses: 7.5

Controls: A.6.1.5, A.12, A.13, A.16, A.18.1.3


500.08 – Application Security



Controls: A.14


500.13 – Limitations on Data Retention



Controls: A.8.3.2, A.11.2.7, A.18.1.3



500.14(a) – Training and Monitoring


Clauses: 7.2, 7.3

Controls: A.7.2.2, A.12.4, A.12.7, A.18.2.2



500.15 – Encryption of Nonpublic Information


Clauses: 6.1.2, 6.1.3, 6.2, 8.3, 9.1, 9.3

Controls: A.10



Learn more about 23 NYCRR 500

The requirements for the September deadline do not cover all of 23 NYCRR 500. Download our free green paper, NYDFS Cybersecurity Requirements, to find out how ISO 27001 can help you fully meet the DFS requirements and protect your business against vulnerabilities and cybersecurity threats.

IT Governance can help you achieve compliance

IT Governance can help you gain the skills and tools to implement ISO 27001 alongside the Regulation. We offer products tailored to NYDFS requirements. Find out more >>