Skip to main content

NYDFS

logo

Summary

The NYDFS Cybersecurity Regulation (23 NYCRR 500) is a set of regulations from the New York State Department of Financial Services (NYDFS) that places cybersecurity requirements on all covered entities. The version used in this section is NYDFS, February 2017.

Definitions

DefinitionRequirements
500_2. Cybersecurity program
062. Define standard configurations
079. Record exact occurrence time of events
161. Define secure default options
266. Disable insecure functionalities
273. Define a fixed security suite
500_3. Cybersecurity policy
331. Guarantee legal compliance
500_5. Penetration testing and vulnerability assessments
376. Register severity level
377. Store logs based on valid regulation
500_6. Audit trail
084. Allow transaction history queries
322. Avoid excessive logging
376. Register severity level
377. Store logs based on valid regulation
500_7. Access privileges
378. Use of log management system
500_10. Cybersecurity personnel and intelligence
025. Manage concurrent sessions
142. Change system default credentials
155. Application free of malicious code
314. Provide processing confirmation
315. Provide processed data information
316. Allow rectification requests
318. Notify third parties of changes
378. Use of log management system
500_11. Third party service provider security policy
262. Verify third-party components
302. Declare dependencies explicitly
500_12. Multi-factor authentication
229. Request access credentials
231. Implement a biometric verification component
264. Request authentication
319. Make authentication options equally secure
362. Assign MFA mechanisms to a single account
500_13. Limitations on data retention
183. Delete sensitive data securely
317. Allow erasure requests
500_14. Training and monitoring
075. Record exceptional events in logs
079. Record exact occurrence time of events
085. Allow session history queries
500_15. Encryption of nonpublic information
147. Use pre-existent mechanisms
213. Allow geographic location
224. Use secure cryptographic mechanisms
252. Configure key encryption
273. Define a fixed security suite
338. Implement perfect forward secrecy
500_16. Incident response plan
051. Store source code in a repository
363. Synchronize system clocks
378. Use of log management system
free trial

Search for vulnerabilities in your apps for free with Fluid Attacks' automated security testing! Start your 21-day free trial and discover the benefits of the Continuous Hacking Essential plan. If you prefer the Advanced plan, which includes the expertise of Fluid Attacks' hacking team, fill out this contact form.

Last updated on