Cyberattacks are on the rise, with bad actors accelerating their nefarious exfiltration of valuable and confidential data from financial institutions, Federal agencies, healthcare organizations, and more. According to an IBM study, the Financial Services industry saw an increase in the cost of data breach from $5.72M in 2021 to $5.97M in 2022, an increase of 4.4% YOY, making it the industry with the second highest recovery costs. No doubt, breaches are costly — but more importantly, they compromise the privacy and sensitive PII of customers and erode trust in the compromised company.
And so, cybersecurity legislation and regulations are on the rise worldwide. Many US federal agencies, industry watchdogs, and even individual states are defining and enforcing new regulations intended to address the rising tide of cyberattacks and force more organizations to adopt cybersecurity best practices.
As such, the New York State Department of Financial Services (NYDFS) created NYDFS Cybersecurity Regulation 23 NYCRR 500. This blog examines the regulation’s parameters and how enterprises can use Qualys Policy Compliance to help meet its mandates.
About the NYDFS Cybersecurity Regulation
The New York State Department of Financial Services (NYDFS) issued its Cybersecurity Regulation 23 NYCRR 500 in order to “promote the protection of customer information as well as the information technology systems of regulated entities”.
This regulation requires companies under DFS oversight to conduct a risk assessment, implement a program with security controls to address and mitigate risk, and then proactively detect and respond to cyber events. The law includes 23 sections outlining the requirements for developing and implementing an effective cybersecurity program. New cybersecurity requirements for organizations regulated by NYDFS went into effect back in March 2017.
Who Is Covered under the NYDFS Cybersecurity Regulation?
The NYDFS Cybersecurity Regulation applies to all entities operating under or required to operate under DFS licensure, registration, or charter. It also applies to entities which are otherwise DFS-regulated as well as unregulated third-party service providers to regulated entities by extension. Examples of covered entities include:
- State chartered banks
- Licensed lenders
- Private bankers
- Foreign banks licensed to operate in New York State
- Mortgage companies
- Insurance companies
- Service providers
In short, any institution that needs a license from the NYDFS is covered by this regulation. View full list of Institution Types.
Who is Exempted from the NYDFS Cybersecurity Regulation?
There are limited exemptions to the NYDFS Cybersecurity Regulation. Exemptions include organizations that:
- Employ fewer than 10 employees
- Produce <$5M in revenue per year from operations in New York State over the last three years
- Hold <$10M in total assets at year-end
Challenges of NYDFS Regulatory Compliance
The Financial Services sector remains a prime target for cybercriminals because of the high value of the monetary spoils to be gained. According to recent cybersecurity research, financial services firms may fall victim to cybersecurity attacks up to 300X more frequently than businesses in other industries.
The biggest challenge when meeting compliance with the NYDFS Cybersecurity Regulation is that it has broad requirements. This scope makes it difficult for financial institutions to measure if the controls their organizations already have in place or plan to implement ensure full compliance.
Non-compliance with the NYDFS regulation can become a costly legal matter to organizations.
Qualys Compliance Solutions Support NYDFS Regulatory Compliance
The Qualys Cloud Platform’s policy compliance solution helps organizations under NYDFS oversight to comply with 23 NYCRR 500 mandates.
Using Qualys Policy Compliance (PC), organizations get a holistic view of their compliance posture using mandate-based reporting that prioritizes any failures. After generating a comprehensive report against each NYDFS cybersecurity requirement section by section, organizations can view compliance status and details for their environment against each NYDFS requirement. This makes it easy to understand both technical and procedural NYDFS requirements as well as the remediation steps required to comply.
Figures 1 and 2 are two examples of the NYDFS reporting delivered by Qualys PC:
Qualys Policy Compliance has a rich library of technical controls across 350+ technologies (e.g. OS, web applications, databases, network devices, firewalls, browsers). It covers all technical requirements of the NYDFS Cybersecurity Regulation, including the following:
| NYDFS Requirement No | NYDFS Requirement Title |
| 500.05 | Penetration Testing and Vulnerability Assessments. |
| 500.06 | Audit Trail. |
| 500.07 | Access Privileges. |
| 500.08 | Application Security. |
| 500.09 | Risk Assessment. |
| 500.12 | Multi-Factor Authentication. |
| 500.13 | Limitations on Data Retention. |
| 500.15 | Encryption of Nonpublic Information. |
However, all requirements of 23 NYCRR 500 are not technical. Some of them address proper procedures that require manual or human intervention. Enterprise compliance teams need not worry about using a separate solution to address purely procedural controls. Qualys Cloud Platform is a one-stop solution for achieving compliance against the important NYDFS regulation.
Qualys offers its Security Assessment Questionnaire (SAQ) which provides a rich library of security template questionnaires out-of-the-box to cover non-technical requirements. The security questionnaire for NYDFS Cybersecurity Regulation 23 NYCRR 500 covers all procedural requirements that are not covered by Qualys PC. How Qualys SAQ is able to map section by section to specific requirements helps to speed up the overall compliance process.
The following cybersecurity procedural requirements of NYDFS are covered by Qualys SAQ:
| NYDFS Requirement No | NYDFS Requirement Name |
| 500.01 | Definitions |
| 500.02 | Cybersecurity Program. |
| 500.03 | Cybersecurity Policy. |
| 500.04 | Chief Information Security Officer. |
| 500.05 | Penetration Testing and Vulnerability Assessments. |
| 500.10 | Cybersecurity Personnel and Intelligence. |
| 500.11 | Third Party Service Provider Security Policy. |
| 500.13 | Limitations on Data Retention. |
| 500.14 | Training and Monitoring. |
| 500.16 | Incident Response Plan. |
| 500.17 | Notices to Superintendent. |
| 500.18 | Confidentiality. |
| 500.19 | Exemptions. |
| 500.20 | Enforcement. |
| 500.21 | Effective Date. |
| 500.22 | Transitional Periods. |
| 500.23 | Severability. |
Figure 3 below shows the template questionnaire covering NYDFS Cybersecurity Regulation 23 NYCRR 500 within Qualys SAQ.
Compliance teams receive details of the organization’s compliance posture for each procedural control using Qualys SAQ:
Get Started with Qualys Compliance Solutions for NYDFS
Qualys Cloud Platform is a one-stop solution that covers not only technical requirements with Qualys Policy Compliance, but also procedural requirements with Qualys Security Assessment Questionnaire. Together, this integrated compliance solution helps enterprises of any size to easily comply with the NYDFS Cybersecurity Regulation 23 NYCRR 500.