Skip to main content

NYDFS

logo

Summary

The NYDFS Cybersecurity Regulation (23 NYCRR 500) is a set of regulations from the New York State Department of Financial Services (NYDFS) that places cybersecurity requirements on all covered entities. The version used in this section is NYDFS, February 2017.

Definitions

DefinitionRequirements
500_2. Cybersecurity program062. Define standard configurations
079. Record exact occurrence time of events
161. Define secure default options
266. Disable insecure functionalities
273. Define a fixed security suite
500_3. Cybersecurity policy331. Guarantee legal compliance
500_5. Penetration testing and vulnerability assessments376. Register severity level
377. Store logs based on valid regulation
500_6. Audit trail084. Allow transaction history queries
322. Avoid excessive logging
376. Register severity level
377. Store logs based on valid regulation
500_7. Access privileges378. Use of log management system
500_10. Cybersecurity personnel and intelligence025. Manage concurrent sessions
142. Change system default credentials
155. Application free of malicious code
314. Provide processing confirmation
315. Provide processed data information
316. Allow rectification requests
318. Notify third parties of changes
378. Use of log management system
500_11. Third party service provider security policy262. Verify third-party components
302. Declare dependencies explicitly
500_12. Multi-factor authentication229. Request access credentials
231. Implement a biometric verification component
264. Request authentication
319. Make authentication options equally secure
362. Assign MFA mechanisms to a single account
500_13. Limitations on data retention183. Delete sensitive data securely
317. Allow erasure requests
500_14. Training and monitoring075. Record exceptional events in logs
079. Record exact occurrence time of events
085. Allow session history queries
500_15. Encryption of nonpublic information147. Use pre-existent mechanisms
213. Allow geographic location
224. Use secure cryptographic mechanisms
252. Configure key encryption
273. Define a fixed security suite
338. Implement perfect forward secrecy
500_16. Incident response plan051. Store source code in a repository
363. Synchronize system clocks
378. Use of log management system