NY DFS Compliance Checklist (23 NYCRR 500)

This checklist covers the core requirements of 23 NYCRR 500 as amended in November 2023. Use it to assess your organization’s current compliance posture and identify gaps that need to be addressed before your next annual certification.

Cybersecurity Program and Governance

• Written cybersecurity policy approved by the board or equivalent senior officer
• Designated CISO responsible for overseeing the cybersecurity program
• Annual board reporting: CISO reports to board on cybersecurity posture, material risks, and program status
• Risk assessment conducted at least annually and whenever material changes occur
• Third-party vendor policy that requires service providers accessing NPI to maintain appropriate security controls
• Annual certification submitted to the DFS Superintendent by February 15

Technical Controls (Mandatory Under 2023 Amendments)

• Multi-factor authentication (MFA) required for:
  • All remote network access
  • All access to privileged accounts
  • All access to nonpublic information (NPI) from external networks
• Encryption of NPI in transit using current and approved encryption technologies
• Encryption of NPI at rest — or documented compensating controls with risk justification
• Endpoint detection and response (EDR) deployed on all covered systems
• Privileged access management (PAM): Controls to limit and monitor privileged account usage
• Privileged account inventory: Maintained list of all privileged accounts
• Automatic blocking of inactive accounts after a defined period
• Password management controls: Prohibiting the use of default or easily guessable passwords

Monitoring and Testing

• Annual penetration testing by a qualified internal or external party
• Quarterly vulnerability scanning of all covered systems
• Continuous monitoring or periodic review of cybersecurity events and alerts
• Audit trail maintenance: Systems that generate audit logs sufficient to detect and respond to cybersecurity events, retained for at least 3 years

Asset and Data Management

• Asset inventory: Up-to-date inventory of all information systems and devices
• Data inventory: Classification and inventory of nonpublic information (NPI)
• Data disposal: Secure disposal of NPI that is no longer needed
• Access controls: Least-privilege access to NPI based on role and business need
• Periodic access reviews: Regular review and removal of unnecessary user access

Incident Response

• Written incident response plan (IRP) that includes roles, responsibilities, internal and external communications, and recovery procedures
• Annual IRP testing: Tabletop exercise or equivalent test of the plan at least annually
• 72-hour DFS notification of any cybersecurity event that affects the organization or its customers
• Ransomware reporting: Notification of ransomware payments within 24 hours; full report within 30 days

Third-Party Vendor Management

• Vendor security requirements included in contracts with third-party service providers accessing NPI
• Vendor risk assessments performed at least annually for critical third-party providers
• Vendor inventory: Maintained list of all third-party service providers with access to systems or NPI
• Termination procedures: Processes to revoke vendor access upon contract end

Training and Awareness

• Cybersecurity awareness training provided to all personnel with access to NPI or covered systems, at least annually
• CISO-level expertise: CISO has qualifications and experience appropriate for the role and organization’s risk profile

Annual Certification Requirements

The DFS certification is due by February 15 each year for the prior calendar year. Under the 2023 amendments, you must affirmatively certify that your cybersecurity program complies with all applicable provisions — or submit a notice of acknowledgment identifying areas of non-compliance and a remediation plan.

Key certification documentation to have ready:

• Current board-approved cybersecurity policy
• Risk assessment results
• CISO annual report to the board
• Penetration testing report and remediation evidence
• Vendor assessment results
• MFA, EDR, PAM deployment evidence

How Espresso Labs Helps

Espresso Labs enforces these requirements automatically as a managed service — deploying and maintaining the required technical controls, continuously monitoring your environment, and maintaining the documentation your CISO needs to certify compliance. We can also fill the CISO role through our vCISO service. Contact us to close your NY DFS compliance gaps without building a large internal security team.