Disclaimer: The following information is generalized, not necessarily up-to-date with current laws and/or rulings, and should not be relied upon for legal purposes. The following information is not intended to be legal advice; individuals should consult an attorney in their respective jurisdiction(s) to obtain legal advice tailored to their specific needs and applicable law(s).
* Italicized terms used throughout this article refer to terms defined in 23 NYCRR § 500 (NY DFS 500). A copy of 23 NYCRR § 500 can be found here.
NY DFS 500’s Requirements
The requirements set forth by NY DFS 500 have varying dates by which they are required to be complied with by covered entities (a discussion of covered entities and exemptions can be found here). This information can be found in 23 NYCRR § 500.22, where it is referred to as Transitional Periods. These dates can also be found on the New York Department of Financial Services’ website, found here. Finally, there is a published list of frequently asked questions by the Department, found here.
The following is a general overview of the transitional periods and their respective requirements as provided in NY DFS 500.
Transitional Period 1 (Deadline: August 28, 2017)
- Section 500.02: Cybersecurity Program
- Section 500.03: Cybersecurity Policy
- Section 500.04(a): Chief Information Security Officer (Appointment)
- Section 500.07: Access Privileges
- Section 500.10: Cybersecurity Personnel & Intelligence
- Section 500.16: Incident Response Plan
- Section 500.17(a): Notice to Superintendent
Transitional Period 2 (Deadline: February 15, 2018)
- Section 500.04(b): Chief Information Security Officer (Reporting)
- Section 500.05: Penetration & Vulnerability Test
- Section 500.09: Risk Assessment
- Section 500.12: Multi-Factor Authentication
- Section 500.14(b): Cybersecurity Awareness Training
- Section 500.17(b): Notice to Superintendent
Transitional Period 3 (Deadline: September 3, 2018)
- Section 500.06: Audit Trail
- Section 500.08: Application Security
- Section 500.13: Limitations on Data Retention
- Section 500.14(a): Monitoring Controls
- Section 500.15: Encryption of Nonpublic Information
Transitional Period 4 (Deadline: March 1, 2019)
- Section 500.11: Third Party Service Provider Security Policy