This website uses cookies. View our cookie policy
Select regional store:

Countdown to NYDFS cybersecurity certification


By March 1st 2018 organizations need to:

  • Appoint a chief information security officer
  • Train and monitor personnel
  • Conduct regular penetration testing and vulnerability assessments
  • Implement cyber risk assessments
  • Deploy multi-factor authentication


The Cybersecurity Requirements for Financial Services Companies released by New York State’s Department of Financial Services (NYDFS) came into effect on March 1, 2017. All financial services companies that fall under NYDFS supervision are required to implement security measures in order to protect themselves against cyber attacks. The regulation, 23 NYCRR 500, is considered the first state regulation to address financial services cybersecurity.

By February 18, 2018, Covered Entities were required to submit certification of compliance. According to the NYDFS, “Covered Entity means any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.”


The multi-faceted Regulation – 23 NYCRR 500

Among many provisions, the Regulation requires organizations to:

  • Maintain a cybersecurity policy and program
  • Appoint a CISO
  • Limit access privileges and periodically review these privileges
  • Implement risk assessment controls and an incident response plan
  • Use qualified cybersecurity personnel
  • Establish a written cybersecurity incident response plan


Challenging deadlines push information risk management a top priority

The proposal has a number of different compliance deadlines, with timelines ranging from six months to two years. Written documentation must have been submitted to the Superintendent of Financial Services by February 2018, certifying that the organization meets the requirements.

In the event of a cyberattack or a breach, the organization must report the incident to the Superintendent within 72 hours.

It’s important to know what is necessary to meet compliance obligations. On December 12, 2017, the DFS made additions to its FAQ regarding 23 NYCRR 500. Further clarifications were made, such as whether or not penetration testing must be completed by the February documentation date (no, but the DFS expects a plan for complete penetration testing and vulnerability assessment on a regular schedule).

Other important deadlines include:


Taking the right measures for compliance

Implementation can be challenging for organizations as there are many requirements and different timelines for each of them. It is essential to take the right steps now to plan your cybersecurity program and align it with your business objectives.

Meet your obligations and deadlines with ISO 27001, the international standard for information security.

ISO 27001 is a best-practice solution that will ensure you meet the NYDFS cybersecurity requirements. This international standard provides an ISMS (information security management system) framework that can be used to meet the Regulation’s requirements, protect and monitor information, and follow a continual improvement approach that allows the organization to keep up with evolving threats.

Learn more about ISO 27001 and the NYDFS Cybersecurity Requirements >>


Free green paper on the NYDFS Cybersecurity Requirements and ISO 27001

If would like more information on the benefits of implementing the international standard ISO 27001 with the NYDFS Regulation, we recommend you download our free green paper, NYDFS Cybersecurity Requirements – Part 1: The Regulation and the ISO 27001 standard.

Simply click on the green paper below and we will email you a copy.


How IT Governance can help

IT Governance can help you gain the skills and tools to implement the ISO 27001 standard alongside the Regulation. We offer products tailored to NYDFS requirements. Find out more here >>