We've rebranded! Find out more about our rebrand to LRQA Nettitude here
Select Page


As a recognized covered entity by the New York State Department of Financial Services (NYDFS), some organizations fall under a mandatory compliance requirement to protect Nonpublic Information (NPI). To do this, you must be following the NYDFS Cybersecurity regulation, known as 23 NYCRR 500.

The regulation covers elements of cybersecurity both deep and wide, and can be unforgiving in how it must be applied. This means that it’s essential to review whether your current security posture complies with the relatively new regulatory standard.

NYDFS Cybersecurity Regulation Checklist

The 23 NYCRR 500 regulation has 16 cybersecurity related requirements, and LRQA Nettitude is able to directly assist your organization with 10 of the requirements and for the other 6, guide your IT and development teams by providing our extensive NYDFS Cybersecurity experience and expertise:

  • Cybersecurity Program – Section 500.02
  • Cybersecurity Policy – Section 500.03
  • Chief Information Security Officer – Section 500.04
  • Penetration Testing and Vulnerability Management – Section 500.05
  • Audit Trail – Section 500.06
  • Access Privileges – Section 500.07
  • Application Security – Section 500.08
  • Risk Assessments – Section 500.09
  • Cybersecurity Personnel and Intelligence – Section 500.10
  • Third Party Service Provider Security Policy – Section 500.11
  • Multi-Factor Authentication – Section 500.12
  • Limitations on Data Retention – Section 500.13
  • Training and Monitoring – Section 500.14
  • Encryption of Nonpublic Information – 500.15
  • Incident Response Plan – Section 500.16
  • Notices to Superintendent – Section 500.17

What Is A ‘Covered Entity’?

The NYDFS defines a Covered Entity as “any Person operating under or required to operate under a licenses, registration, charter, certificate, permit, accreditation or similar authorization under the Banking law, the Insurance law or the Financial Services Law”.

Simply put, they are organizations that are regulated by the DFS, including:

  • State-chartered banks
  • Licensed lenders
  • Private bankers
  • Non-U.S. banks licensed to operate in New York
  • Insurance companies
  • Mortgage companies
  • Service providers
  • Trust companies
The regulation provides a degree of exemptions for organizations with:
  1. Fewer than 10 employees working in New York State
    2. Less than $5 million in gross annual revenue
    3. Less than $10 million in year-end total assets

Keep in mind such exemptions need to be reviewed with legal counsel, and more than half of the Cybersecurity regulation is still required.

NYDFS Cyber Compliance Services – Where Can I Start?

The best approach to that is to create a short decision tree:

  1. I know what I don’t know (I know where my gaps are, and need support in addressing them) – go to vCISO services
  2. I don’t know anything – go to Gap Analysis engagement

Virtual CISO (vCISO) Services

LRQA Nettitude’s virtual CISO service has been supporting banks and other covered entities achieve and maintain NYDFS Cybersecurity compliance for a number of years, in fact we started with early adopters a year prior to the regulation taking effect.

A virtual CISO is a term used to describe a CISO who is a part time consultant dedicated to you. Most of our work is delivered onsite (excluding Covid-19 restrictions) with clients, auditors, examiners, and third parties. We have worked NYDFS as vCISOs to our clients along with the OCC, FDIC, FBI and other bodies.

You will be assigned an experienced NYDFS CISO consultant who will work with your IT and security teams, management and Board of Directors, business units.


NYDFS Gap Analysis

Where there is complete darkness, LRQA Nettitude are able to shed light on the NYDFS regulations. Working with your teams, we will assess and analyze your environment, business process and data against the NYDFS regulation, encompassing 16 categories and over 70 specific sub-requirements. Once concluded, you will be presented with a report and a detailed list of findings including recommendations and next steps.

This work will be conducted by one of our virtual CISO’s, as a consultant.
Once you have had a chance to review the report and findings you may decide to engage with us for vCISO services, or take your time and remediate with our expert advice when needed.

Why LRQA Nettitude for NYDFS Cyber Compliance?

LRQA Nettitude Helps Organizations with Measures Necessary for NYDFS Cybersecurity Compliance via:

  • Gap assessment against the 23 NYCRR 500 regulation to identify compliance gaps, recommend remediations, and produce a roadmap to compliance.
  • Provide a dedicated “virtual” CISO consultant to create or support your organization’s information security program and NYDFS Cybersecurity requirements from policy creation through risk management through NYDFS audit support.
  • Write or update your policies and work with you on the NYDFS associated documentation library.
  • Partner with you to provide our world class SOC service and Incident Response expertise.
  • Penetration testing and vulnerability scanning to allow you the view a criminal threat actor would have of your technologies and platforms.

General Enquiry.

speak to our experts