Navigating NY DFS Part 500.06: Audit Trail

Disclaimer: The following information is generalized, not necessarily up-to-date with current laws and/or rulings, and should not be relied upon for legal purposes. The following information is not intended to be legal advice; individuals should consult an attorney in their respective jurisdiction(s) to obtain legal advice tailored to their specific needs and applicable law(s).


* Italicized terms used throughout this article refer to terms defined in 23 NYCRR § 500 (NY DFS 500). A copy of 23 NYCRR § 500 can be found here.

Section 500.06: Audit Trail (Deadline: September 3, 2018)

The goal of this section is to ensure the covered entity maintains sufficiently detailed records to (1) protect them and their clients and (2) assist with detecting and responding to cybersecurity events. The section states that the covered entity must maintain systems, based on its risk assessment, that are designed to:

  1. Reconstruct material financial transactions sufficiently enough to support the normal operations and obligations of the covered entity. Such records must be maintained for at least five (5) years.
  2. Detect and respond to cybersecurity events that have a reasonable likelihood of materially harming the normal operations of the covered entity. Such records must be maintained for at least three (3) years.