Skip to content
BSN Logo Footer
Sign in
Request demo
BSN Logo Footer
NY DFS Email

NY DFS Enforcing Cybersecurity Requirements

If you are a New York Financial Services organization and have not complied with the New York Department of Financial Services (DFS) Cybersecurity Regulations (23 NYCRR 500) you probably received a notice over the weekend. The notices were sent from Maria Vullo from the DFS with the subject: Failure to File Certification of Compliance. The below is an image of the actual email:

 

Click to Enlarge Image

 

NY DFS Email
 

New York Financial Services Organizations are required to submit an annual certificate of compliance by February 15th. Here is a description of the certificate of compliance:

Annually each Covered Entity shall submit to the superintendent a written statement covering the prior calendar year. This statement shall be submitted by February 15 in such form set forth as Appendix A, certifying that the Covered Entity is in compliance with the requirements set forth in this Part. Each Covered Entity shall maintain for examination by the Department all records, schedules and data supporting this certificate for a period of five years. To the extent a Covered Entity has identified areas, systems or processes that require material improvement, updating or redesign, the Covered Entity shall document the identification and the remedial efforts planned and underway to address such areas, systems or processes. Such documentation must be available for inspection by the superintendent.

NY DFS Cybersecurity Regulations

From a high level view, the NY DFS Cybersecurity Regulations require NY Financial Services Organizations to put in place a security program to protect sensitive financial information that these organizations store, access or maintain.

It is critical for all regulated institutions that have not yet done so to move swiftly and urgently to adopt a cybersecurity program and for all regulated entities to be subject to minimum standards with respect to their programs. The number of cyber events has been steadily increasing and estimates of potential risk to our financial services industry are stark. Adoption of the program outlined in these regulations is a priority for New York State.

Some of the requirements include:

    • Section 500.02 Cybersecurity Program.
      (a) Cybersecurity Program. Each Covered Entity shall maintain a cybersecurity program designed to protect the confidentiality, integrity and availability of the Covered Entity’s Information Systems.
    • Section 500.03 Cybersecurity Policy.
      Cybersecurity Policy. Each Covered Entity shall implement and maintain a written policy or policies, approved by a Senior Officer or the Covered Entity’s board of directors (or an appropriate committee thereof) or equivalent governing body, setting forth the Covered Entity’s policies and procedures for the protection of its Information Systems and Nonpublic Information stored on those Information Systems. The cybersecurity policy shall be based on the Covered Entity’s Risk Assessment and address the following areas to the extent applicable to the Covered Entity’s operations:
    • Section 500.09 Risk Assessment.
      (a) Each Covered Entity shall conduct a periodic Risk Assessment of the Covered Entity’s Information Systems sufficient to inform the design of the cybersecurity program as required by this Part. Such Risk Assessment shall be updated as reasonably necessary to address changes to the Covered Entity’s Information Systems, Nonpublic Information or business operations. The Covered Entity’s Risk Assessment shall allow for revision of controls to respond to technological developments and evolving threats and shall consider the particular risks of the Covered Entity’s business operations related to cybersecurity, Nonpublic Information collected or stored, Information Systems utilized and the availability and effectiveness of controls to protect Nonpublic Information and Information Systems.
    • Section 500.14 Training and Monitoring.
      As part of its cybersecurity program, each Covered Entity shall:
      (a) implement risk-based policies, procedures and controls designed to monitor the activity of Authorized Users and detect unauthorized access or use of, or tampering with, Nonpublic Information by such Authorized Users; and
      (b) provide regular cybersecurity awareness training for all personnel that is updated to reflect risks identified by the Covered Entity in its Risk Assessment.
    • Section 500.17 Notices to Superintendent.
      (a) Notice of Cybersecurity Event. Each Covered Entity shall notify the superintendent as promptly as possible but in no event later than 72 hours from a determination that a Cybersecurity Event has occurred that is either of the following:
      (1) Cybersecurity Events impacting the Covered Entity of which notice is required to be provided to any government body, self-regulatory agency or any other supervisory body; or
      (2) Cybersecurity Events that have a reasonable likelihood of materially harming any material part of the normal operation(s) of the Covered Entity.
      (b) Annually each Covered Entity shall submit to the superintendent a written statement covering the prior calendar year. This statement shall be submitted by February 15 in such form set forth as Appendix A, certifying that the Covered Entity is in compliance with the requirements set forth in this Part. Each Covered Entity shall maintain for examination by the Department all records, schedules and data supporting this certificate for a period of five years. To the extent a Covered Entity has identified areas, systems or processes that require material improvement, updating or redesign, the Covered Entity shall document the identification and the remedial efforts planned and underway to address such areas, systems or processes. Such documentation must be available for inspection by the superintendent.

Partner with Breach Secure Now!

If you are a Managed Service Provider and have clients that must comply with NY DFS Cybersecurity Regulations, contact us to see how you can use Breach Secure Now! (BSN) to help. BSN was built for cybersecurity requirements and provides:

      1. Security Risk Assessments
      2. Security Policies
      3. Security Awareness Training
      4. 3rd Party Security Contract Addendum
      5. Security Incident Guidelines and Documentation


[button link=”https://breachsecurenow.com/contact-us/” color=”blue”]Find Out More >>[/button]

More on blogs

AI and Cybersecurity - how they intersect and how AI can be used for cybercrime.

The Rise of AI in Cybersecurity: Opportunities for MSPs

Learn how MSPs can harness AI Awareness and Security Awareness Training to protect and empower their clients against sophisticated cyber threats. Discover the unique opportunities
READ MORE
Skill development and training. Personal development. New skill, upskill and reskill concept. Digial and AI technologies are transforming. New occupations emerge, employee adaptation.

MSPs Are Succeeding in Staying Ahead of Client Expectations by Leveraging AI Awareness Training

Businesses are rapidly adopting AI, but many lack the training to use it effectively and securely. Learn why MSPs should offer AI Awareness Training to
READ MORE
Take the First Step

Experience Training That Makes a Difference

Try it for free
Contact sales

during the demo you’ll:

  • See our platform in action.
  • Discover how human-centric training solutions can help differentiate your services.
  • Learn how to integrate training into your MSP stack and deliver measurable outcomes.
Take the First Step

Experience Training That Makes a Difference

Try for Free
Contact sales
During the demo you’ll:
  • See our platform in action.
  • Discover how human-centric training solutions can help differentiate your services.
  • Learn how to integrate training into your MSP stack and deliver measurable outcomes.
BSN Logo Footer

Stay Ahead with the Latest Updates

Join 3,000 users who stay updated with our weekly insights and resources.

Please enable JavaScript in your browser to complete this form.

Products

Company

Resources

Get Started

CONNECT WITH BSN

BSN Logo Footer

2025 Breach Secure Now. All rights reserved.

BSN Logo Footer
Linkedin Instagram Facebook Youtube