← Frameworks / Financial Regulation

23 NYCRR Part 500 — Cybersecurity Requirements for Financial Services Companies

New York Department of Financial Services mandatory cybersecurity regulation for all DFS-regulated entities including banks, insurers, and financial services companies. 18 sections covering cybersecurity program, policy, CISO, penetration testing, access privileges, application security, risk assessment, third-party service provider security, MFA, data retention, monitoring, incident response, 72-hour notification, and annual compliance certification. Enhanced requirements for Class A companies.

Clauses: 18

Avg Coverage: 80.0%

Publisher: New York Department of Financial Services (NYDFS) Version: 2023 (amended)

NYDFS 500 → SP 800-53 SP 800-53 → NYDFS 500 Coverage Analysis

Clause	Title	SP 800-53 Controls
500.2	Cybersecurity Program	PM-01 PM-02 PM-03 PM-04 PM-06 PM-09 PM-11 PM-14 PL-01 PL-02 PL-07 PL-08 CA-02 CA-05 CA-07 RA-01 RA-03 SI-04 SC-07 IR-04 CP-02
500.3	Cybersecurity Policy	PL-01 PL-02 PL-03 AC-01 AT-01 AU-01 CA-01 CM-01 CP-01 IA-01 IR-01 MA-01 MP-01 PE-01 PM-01 PS-01 RA-01 SA-01 SC-01 SI-01 SR-01 PM-05 PM-09
500.4	Cybersecurity Governance	PM-02 PM-01 PM-03 PM-13 PL-01 PL-04 RA-01 PM-29
500.5	Vulnerability Management	RA-05 RA-07 CA-08 SI-02 SI-05 CM-04 CM-06 SA-11 SA-15
500.6	Audit Trail	AU-02 AU-03 AU-04 AU-05 AU-06 AU-07 AU-08 AU-09 AU-11 AU-12 SI-04 AC-06 AC-17
500.7	Access Privileges and Management	AC-01 AC-02 AC-03 AC-05 AC-06 AC-17 AC-19 AC-20 IA-01 IA-02 IA-04 IA-05 PS-04 PS-05
500.8	Application Security	SA-03 SA-04 SA-08 SA-11 SA-15 SA-17 CM-02 CM-03 CM-04 SI-02 SI-07 SC-03
500.9	Risk Assessment	RA-01 RA-02 RA-03 RA-05 RA-06 RA-07 RA-09 PM-08 PM-09 PM-11 PM-16 CA-02 CA-05
500.10	Cybersecurity Personnel and Intelligence	PM-02 PM-13 PS-01 PS-02 PS-03 PS-06 PS-07 AT-01 AT-02 AT-03 PM-15 PM-16 SI-05 SA-09
500.11	Third-Party Service Provider Security Policy	SA-04 SA-09 SR-01 SR-02 SR-03 SR-05 SR-06 PS-07 CA-03 PM-30 PM-31 AC-20
500.12	Multi-Factor Authentication	IA-02 IA-05 IA-08 AC-17 SC-23
500.13	Asset Management and Data Retention Limitations	CM-08 CM-12 CM-13 PM-05 MP-06 SI-12 SA-22 PT-03
500.14	Monitoring and Training	SI-04 SI-03 AT-01 AT-02 AT-03 AT-04 AU-06 AU-13 IR-04 PM-14 SC-07 SC-44
500.15	Encryption of Nonpublic Information	SC-08 SC-12 SC-13 SC-28 MP-04 MP-05
500.16	Incident Response and Business Continuity Management	IR-01 IR-02 IR-03 IR-04 IR-05 IR-06 IR-07 IR-08 CP-01 CP-02 CP-03 CP-04 CP-06 CP-07 CP-09 CP-10 PM-14
500.17	Notices to Superintendent	IR-06 PM-26 AU-06
500.18	Confidentiality	PT-01 PT-03 PT-04 AC-04 AC-21 SI-12
500.19	Exemptions	PM-01 PM-11 PL-02