Navigating NY DFS Part 500.14: Training and Monitoring

Disclaimer: The following information is generalized, not necessarily up-to-date with current laws and/or rulings, and should not be relied upon for legal purposes. The following information is not intended to be legal advice; individuals should consult an attorney in their respective jurisdiction(s) to obtain legal advice tailored to their specific needs and applicable law(s).


* Italicized terms used throughout this article refer to terms defined in 23 NYCRR § 500 (NY DFS 500). A copy of 23 NYCRR § 500 can be found here.

Section 500.14(a): Training and Monitoring (Deadline: September 3, 2018)

This section requires the covered entity to implement policies, procedures, and controls designed to monitor the activity of authorized users and detect the unauthorized access, use, or tampering of nonpublic information by such authorized users.

Section 500.14(b): Training and Monitoring (Deadline: February 15, 2018)

This section requires the covered entity to provide cybersecurity awareness training to all personnel. Such training should be regularly updated to reflect risks identified by the covered entity’s risk assessment.