23 NYCRR Part 500 — Cybersecurity Requirements for Financial Services Companies
New York Department of Financial Services mandatory cybersecurity regulation for all DFS-regulated entities including banks, insurers, and financial services companies. 18 sections covering cybersecurity program, policy, CISO, penetration testing, access privileges, application security, risk assessment, third-party service provider security, MFA, data retention, monitoring, incident response, 72-hour notification, and annual compliance certification. Enhanced requirements for Class A companies.
Controls: 137
Total Mappings: 199
Publisher: New York Department of Financial Services (NYDFS) Version: 2023 (amended) AC (10) AT (4) AU (12) CA (6) CM (8) CP (8) IA (5) IR (8) MA (1) MP (4) PE (1) PL (6) PM (17) PS (7) PT (3) RA (7) SA (9) SC (9) SI (7) SR (5)
AC Access Control
| Control | Name | NYDFS 500 References |
|---|---|---|
| AC-01 | Access Control Policies and Procedures | 500.3500.7 |
| AC-02 | Account Management | 500.7 |
| AC-03 | Access Enforcement | 500.7 |
| AC-04 | Information Flow Enforcement | 500.18 |
| AC-05 | Separation Of Duties | 500.7 |
| AC-06 | Least Privilege | 500.6500.7 |
| AC-17 | Remote Access | 500.12500.6500.7 |
| AC-19 | Access Control For Portable And Mobile Devices | 500.7 |
| AC-20 | Use Of External Information Systems | 500.11500.7 |
| AC-21 | Information Sharing | 500.18 |
AT Awareness and Training
AU Audit and Accountability
| Control | Name | NYDFS 500 References |
|---|---|---|
| AU-01 | Audit And Accountability Policy And Procedures | 500.3 |
| AU-02 | Auditable Events | 500.6 |
| AU-03 | Content Of Audit Records | 500.6 |
| AU-04 | Audit Storage Capacity | 500.6 |
| AU-05 | Response To Audit Processing Failures | 500.6 |
| AU-06 | Audit Monitoring, Analysis, And Reporting | 500.14500.17500.6 |
| AU-07 | Audit Reduction And Report Generation | 500.6 |
| AU-08 | Time Stamps | 500.6 |
| AU-09 | Protection Of Audit Information | 500.6 |
| AU-11 | Audit Record Retention | 500.6 |
| AU-12 | Audit Record Generation | 500.6 |
| AU-13 | Monitoring for Information Disclosure | 500.14 |
CA Security Assessment and Authorization
| Control | Name | NYDFS 500 References |
|---|---|---|
| CA-01 | Certification, Accreditation, And Security Assessment Policies And Procedures | 500.3 |
| CA-02 | Security Assessments | 500.2500.9 |
| CA-03 | Information System Connections | 500.11 |
| CA-05 | Plan Of Action And Milestones | 500.2500.9 |
| CA-07 | Continuous Monitoring | 500.2 |
| CA-08 | Penetration Testing | 500.5 |
CM Configuration Management
| Control | Name | NYDFS 500 References |
|---|---|---|
| CM-01 | Configuration Management Policy And Procedures | 500.3 |
| CM-02 | Baseline Configuration | 500.8 |
| CM-03 | Configuration Change Control | 500.8 |
| CM-04 | Monitoring Configuration Changes | 500.5500.8 |
| CM-06 | Configuration Settings | 500.5 |
| CM-08 | Information System Component Inventory | 500.13 |
| CM-12 | Information Location | 500.13 |
| CM-13 | Data Action Mapping | 500.13 |
CP Contingency Planning
| Control | Name | NYDFS 500 References |
|---|---|---|
| CP-01 | Contingency Planning Policy And Procedures | 500.16500.3 |
| CP-02 | Contingency Plan | 500.16500.2 |
| CP-03 | Contingency Training | 500.16 |
| CP-04 | Contingency Plan Testing And Exercises | 500.16 |
| CP-06 | Alternate Storage Site | 500.16 |
| CP-07 | Alternate Processing Site | 500.16 |
| CP-09 | Information System Backup | 500.16 |
| CP-10 | Information System Recovery And Reconstitution | 500.16 |
IA Identification and Authentication
| Control | Name | NYDFS 500 References |
|---|---|---|
| IA-01 | Identification And Authentication Policy And Procedures | 500.3500.7 |
| IA-02 | User Identification And Authentication | 500.12500.7 |
| IA-04 | Identifier Management | 500.7 |
| IA-05 | Authenticator Management | 500.12500.7 |
| IA-08 | Identification and Authentication (Non-Organizational Users) | 500.12 |
IR Incident Response
| Control | Name | NYDFS 500 References |
|---|---|---|
| IR-01 | Incident Response Policy And Procedures | 500.16500.3 |
| IR-02 | Incident Response Training | 500.16 |
| IR-03 | Incident Response Testing And Exercises | 500.16 |
| IR-04 | Incident Handling | 500.14500.16500.2 |
| IR-05 | Incident Monitoring | 500.16 |
| IR-06 | Incident Reporting | 500.16500.17 |
| IR-07 | Incident Response Assistance | 500.16 |
| IR-08 | Incident Response Plan | 500.16 |
MA Maintenance
| Control | Name | NYDFS 500 References |
|---|---|---|
| MA-01 | System Maintenance Policy And Procedures | 500.3 |
MP Media Protection
PE Physical and Environmental Protection
| Control | Name | NYDFS 500 References |
|---|---|---|
| PE-01 | Physical And Environmental Protection Policy And Procedures | 500.3 |
PL Planning
PM Program Management
| Control | Name | NYDFS 500 References |
|---|---|---|
| PM-01 | Information Security Program Plan | 500.19500.2500.3500.4 |
| PM-02 | Information Security Program Leadership Role | 500.10500.2500.4 |
| PM-03 | Information Security and Privacy Resources | 500.2500.4 |
| PM-04 | Plan of Action and Milestones Process | 500.2 |
| PM-05 | System Inventory | 500.13500.3 |
| PM-06 | Measures of Performance | 500.2 |
| PM-08 | Critical Infrastructure Plan | 500.9 |
| PM-09 | Risk Management Strategy | 500.2500.3500.9 |
| PM-11 | Mission and Business Process Definition | 500.19500.2500.9 |
| PM-13 | Security and Privacy Workforce | 500.10500.4 |
| PM-14 | Testing, Training, and Monitoring | 500.14500.16500.2 |
| PM-15 | Security and Privacy Groups and Associations | 500.10 |
| PM-16 | Threat Awareness Program | 500.10500.9 |
| PM-26 | Complaint Management | 500.17 |
| PM-29 | Risk Management Program Leadership Roles | 500.4 |
| PM-30 | Supply Chain Risk Management Strategy | 500.11 |
| PM-31 | Continuous Monitoring Strategy | 500.11 |
PS Personnel Security
| Control | Name | NYDFS 500 References |
|---|---|---|
| PS-01 | Personnel Security Policy And Procedures | 500.10500.3 |
| PS-02 | Position Categorization | 500.10 |
| PS-03 | Personnel Screening | 500.10 |
| PS-04 | Personnel Termination | 500.7 |
| PS-05 | Personnel Transfer | 500.7 |
| PS-06 | Access Agreements | 500.10 |
| PS-07 | Third-Party Personnel Security | 500.10500.11 |
PT Personally Identifiable Information Processing and Transparency
RA Risk Assessment
| Control | Name | NYDFS 500 References |
|---|---|---|
| RA-01 | Risk Assessment Policy And Procedures | 500.2500.3500.4500.9 |
| RA-02 | Security Categorization | 500.9 |
| RA-03 | Risk Assessment | 500.2500.9 |
| RA-05 | Vulnerability Scanning | 500.5500.9 |
| RA-06 | Technical Surveillance Countermeasures Survey | 500.9 |
| RA-07 | Risk Response | 500.5500.9 |
| RA-09 | Criticality Analysis | 500.9 |
SA System and Services Acquisition
| Control | Name | NYDFS 500 References |
|---|---|---|
| SA-01 | System And Services Acquisition Policy And Procedures | 500.3 |
| SA-03 | Life Cycle Support | 500.8 |
| SA-04 | Acquisitions | 500.11500.8 |
| SA-08 | Security Engineering Principles | 500.8 |
| SA-09 | External Information System Services | 500.10500.11 |
| SA-11 | Developer Security Testing | 500.5500.8 |
| SA-15 | Development Process, Standards, and Tools | 500.5500.8 |
| SA-17 | Developer Security and Privacy Architecture and Design | 500.8 |
| SA-22 | Unsupported System Components | 500.13 |
SC System and Communications Protection
| Control | Name | NYDFS 500 References |
|---|---|---|
| SC-01 | System And Communications Protection Policy And Procedures | 500.3 |
| SC-03 | Security Function Isolation | 500.8 |
| SC-07 | Boundary Protection | 500.14500.2 |
| SC-08 | Transmission Integrity | 500.15 |
| SC-12 | Cryptographic Key Establishment And Management | 500.15 |
| SC-13 | Use Of Cryptography | 500.15 |
| SC-23 | Session Authenticity | 500.12 |
| SC-28 | Protection of Information at Rest | 500.15 |
| SC-44 | Detonation Chambers | 500.14 |
SI System and Information Integrity
| Control | Name | NYDFS 500 References |
|---|---|---|
| SI-01 | System And Information Integrity Policy And Procedures | 500.3 |
| SI-02 | Flaw Remediation | 500.5500.8 |
| SI-03 | Malicious Code Protection | 500.14 |
| SI-04 | Information System Monitoring Tools And Techniques | 500.14500.2500.6 |
| SI-05 | Security Alerts And Advisories | 500.10500.5 |
| SI-07 | Software And Information Integrity | 500.8 |
| SI-12 | Information Output Handling And Retention | 500.13500.18 |