Navigating NY DFS Part 500.09: Risk Assessment

Disclaimer: The following information is generalized, not necessarily up-to-date with current laws and/or rulings, and should not be relied upon for legal purposes. The following information is not intended to be legal advice; individuals should consult an attorney in their respective jurisdiction(s) to obtain legal advice tailored to their specific needs and applicable law(s).


* Italicized terms used throughout this article refer to terms defined in 23 NYCRR § 500 (NY DFS 500). A copy of 23 NYCRR § 500 can be found here.

Section 500.09: Risk Assessment (Deadline: February 15, 2018)

This section requires that a covered entity conduct a periodic risk assessment of the covered entity’s information systems. The risk assessment must:

  1. be sufficient to inform the design of the cybersecurity program;
  2. be updated as reasonably necessary to address changes to the covered entity’s information systems, nonpublic information, or business operations;
  3. allow for revisions of controls to respond to technological developments and evolving threats; and
  4. consider the particular risks of the covered entity’s business operations related to cybersecurity, nonpublic information collected or stored, information systems utilized, and the availability and effectiveness of controls to protect nonpublic information and information systems.

The risk assessment should be performed according to written policies and procedures and its performance should be documented. Relevant policies and procedures must include:

  1. criteria for the evaluation and categorization of identified cybersecurity risks or threats facing the covered entity;
  2. criteria for the assessment of the confidentiality, integrity, security, and availability of the covered entity’s information systems and nonpublic information, including the adequacy of existing controls in the context of identified risks; and
  3. requirements describing how identified risks will be mitigated or accepted based on the risk assessment and how the cybersecurity program will address the risks.