NY DFS 500 Cyber Security Regulation Readiness Checklist

NY DFS 500 regulation is designed to promote the protection of customer information & the information technology systems of regulated entities.

The New York State Department of Financial Services (“DFS”) has been closely monitoring the ever-growing threat posed to information and financial systems by nation-states, terrorist organizations and independent criminal actors.

The NY DFS 500 regulation is designed to promote the protection of customer information as well as the information technology systems of regulated entities. It is critical for all regulated institutions that have not yet done so to move swiftly and urgently to adopt a cybersecurity program. Adoption of the program outlined in these regulations is a priority for New York State.

  1. Cyber Security Program (Section 500.02)

Establish a cyber security program that is designed to identify and evaluate risks based on periodic risk assessments. To effectively protect information systems and nonpublic information, the program must include processes for detection, response, recovery from cyber events and adhere to all reporting obligations.

Solution – With our experts and wide coverage of services, you will be able to successfully establish or extend your Cyber Security Program.

  1. Cyber Security Policies (Section 500.03)

Based on your risk assessment, written policies and procedures must be created and maintained to protect your organization’s systems and nonpublic information.

Solution – We offer a Virtual CISO service to assist you write custom Security policies and procedures and advise you on their maintenance.

  1. Chief Information Security Officer (Section 500.04)

FIs must appoint a Chief Information Security Officer (CISO) to oversee and implement the required cyber security program. The CISO may be employed by an affiliate, the regulated entity, or a third-party service provider. With Matrix-IFS’ Virtual CISO service, we will provide your organization with qualified security advisers to assist in guiding security efforts, execute plans and implement a custom strategy for your company. Matrix-IFS acts as an extension of your security team, providing security program assessment, development and management.

Solution – Our Virtual CISO service will also provide your organization with qualified security advisers to assist in guiding security efforts, execute plans and implement a custom strategy, essentially acting as an extension of your security team, providing security program assessment, development and management.

  1. Penetration Testing and Vulnerability Management (Section 500.05)

FIs must perform annual Penetration Testing and bi-annual Vulnerability Assessments of Information Systems based on relevant identified risks in accordance with their Risk Assessment.

Solution – Matrix-IFS’ annual Penetration Testing and vulnerability assessments of Information Systems based on relevant identified risks, give your organization a realistic look at how attackers exploit IT vulnerabilities and actionable ways on how to stop them. Our team conducts hundreds of penetration tests annually, and our engineers continuously trained on the latest security innovations to ensure we understand this constantly evolving epidemic, learning the latest techniques to identify and negate threats.

  1. Audit Trail (Section 500.06)

FIs must be able to present audit trails not fewer than 5 years to reconstruct material financial transactions and not fewer than 3 years for Cyber security Events that materially harm normal operations of your business.

Solution – We will provide guidance on logging across your entire business.

  1. Access Privileges (Section 500.07) 

User access privileges to Information Systems of Nonpublic Information must be limited where applicable and reviewed periodically

Solution – Receive advice from an experienced CISO on best practices to adhere to least privilege access principle.

  1. Application Security (Section 500.08)

Financial institutions must implement security best practices and procedures for internally or externally developed apps, along with periodical evaluations, assessments and security testing of externally developed apps.

Solution – With our application security solutions, you can interpret and test today’s modern and complex apps, providing your organization with comprehensive and actionable vulnerability reports and actionable remediation recommendations.

  1. Risk Assessments (Section 500.09)

FIs must conduct bi-annual, documented risk assessments that consider threats and examination of current controls concerning identifying risk.

Solution – Matrix-IFS offers risk assessments to evaluate the effectiveness of your cyber security controls and produces a prioritized and risk-based security roadmap, detailing recommendations to update your security posture with confidence.

  1. Cyber security Personnel and Intelligence (Section 500.10)

Qualified cyber security personnel or an “Affiliate”/“Third-Party Service Provider” sufficient to manage the organization’s risks and to perform or oversee the performance of essential cyber security functions.

Solution – Our highly trained in cyber security engineers can effectively address relevant risks and monitor evolving threats and corresponding countermeasures.

  1. Third-Party Service Provider (Section 500.11) 

Written policies and procedures must be implemented to ensure the security of Information Systems and Nonpublic Information that is accessible or held by Third-Party Service Providers.

Solution – Our team will help you write policies that cover third-party services.

  1. Multi-Factor Authentication (Section 500.12)

Multi-Factor Authentication (utilizing more than one method of login credentials to verify user authentication) is required to protect against unauthorized access to Nonpublic Information or Information Systems.

  1. Limitations on Data Retention (Section 500.13)

Periodically, the secure disposal of any Nonpublic Information that is no longer necessary for legitimate business operations is required unless it must be retained by law or regulation

  1. Training and Monitoring (Section 500.14)

Authorized Users activity must be monitored in order to detect unauthorized access or tampering with of Nonpublic Information. Cybersecurity awareness training is required for all personnel.

Solution – With our 24/7/365 SOC as a Service, you will enjoy an actionable intelligence and complete visibility into your environment. Our Cyber Security Training will raise your employees and management awareness of IT governance issues, help to recognize security concerns and learn their relevance to respond accordingly.

  1. Encryption of Nonpublic Information (500.15)

Controls must be implemented to protect Nonpublic Information that is held or transmitted over external networks and at rest via encryption. The CISO must annually review and approve these controls.

Solution – Our CISO will advise you on encryption implementation to cover your data at rest and in transit.

  1. Incident Response Plan (Section 400.16)

A written incident response plan must be designed to respond and recover from any Cybersecurity Event materially affecting the confidentiality, integrity or availability of Information Systems.

Solution – With our team monitoring your environment, we utilize our preventative and reactive protocol to ensure an immediate response at the first sign of a breach.

Need assistance with NY DFS 500? Drop us a message in the form below. Our experts are here to offer immediate assistance and will ensure your institution is risk-free and fully compliant.

Don’t miss our Readiness Webinar on April 15, 2 pm EST. To register, click here.


Find out more

Please complete your details and we will contact you