Common Cybersecurity Requirements of NYSDFS CRR 500 You May Be Overlooking

Common Cybersecurity Requirements of NYSDFS CRR 500 You May Be Overlooking

New York State Department of Financial Services made the 23 NYCRR Part 500 a cybersecurity regulation on March 1st, 2017. It applies to organizations and agencies in the financial service industry. Companies such as Mortgage Banks, Insurance Firms, and Private Lenders are required to comply.

What do auditors look for with cybersecurity?

Overall, an IT Audit will evaluate your cybersecurity program and require you to submit documentation on the programs, systems, controls, policies, and procedures for your current cybersecurity program. 

 A good cybersecurity stance will enable you or your IT department to submit necessary logs, verify monitoring, or easily identify risk-based policies that limit access to nonpublic information. 

Failure to comply can result in massive financial penalties for your organization. Failing to comply with FFIEC guidelines can result in penalties totaling $2million. In 2018, NYSDFS issued a $1.8 million dollar fine to a New York State insurance company who failed to implement multi-factor authentication, an explicit control required by NYSDFS CRR 500.12(b).

In addition, under 23 NYCRR 500.17(a)(2), Cybersecurity Events must be reported to the Department if they “have a reasonable likelihood of materially harming any material part of the normal operation(s) of the Covered Entity.” 

500.15 Encryption Of Nonpublic Information

Encryption is key to protecting nonpublic information, but is not only limited to hard-drives as some may think. The CISO must review compensating controls to non encrypted systems or methods of transportation annually.

What should my cyber program be encrypting or using?

  • External emails with nonpublic information contained within 
  • SFTP and SSH transportation methods
  • Workstations and laptops accessing nonpublic information 
  • Cloud and local backups at rest and in transport 
  • Encrypted Databases and Applications
  • VPN Networks (SSL VPN, Site-to-Site VPN)


When encryption cannot be used, such as an in-house database or application, your CISO should implement a compensating control to make up for the loss of security. These control methods should be reviewed for effectiveness and risk level annually. 

500.5 Continuous Monitoring

An important component of a strong cybersecurity stance is active monitoring for cyberthreats. Section 500.5 points out that “continuous monitoring” can be attained through a combination of technical tools, controls, systems, or programs that detect changes and vulnerabilities on systems.

What’s not considered continuous monitoring?

  1. Manual Reviews of logs and configuration files
  2. Periodic review of firewall changes or logins
  3. Not enabling or configuring alerting for IPS or IDS (Intrusion Prevention Services)

Depending on your business, you may have continuous monitoring in place for various IT systems. It is important to implement active monitoring on all IT systems that contain PII.

  • Network Security monitoring (IPS/IDS)
  • Email monitoring with SMTP alerting
  • Firewall monitoring with SMTP alerting
  • Antivirus monitoring
  • Cloud / Virtual Network Infrastructure monitoring
  • IAM, IDP, and Identity Management monitoring
  • Backup Solution monitoring


Want to learn more about our approach to high-level monitoring and how we can identify and protect your network? Check out our Secure247+ Cybersecurity Program

500.10/.14 Cybersecurity Personnel and Intelligence + Training and Monitoring

Utilizing qualified cybersecurity personnel or a qualified third party to address cybersecurity risks such as the Log4j Vulnerability is a commonly overlooked requirement when adopting a cybersecurity program. This provider should provide your employees with cybersecurity training, be alerted to unauthorized login attempts on IT systems, and implement risk-based policies to control or limit access to nonpublic information. 

What should I be looking for in my Cyber Program or Provider?

  • Annual cybersecurity training for employees 
  • Email alerts/or notifications to new cyber vulnerabilities and threats
  • Least privilege access rights on all IT systems
  • Monitoring for login attempts/excessive failures
  • Their employees using MFA to access your systems, firewall, administrator accounts, or network

Are You Audit Ready?

We can increase your cybersecurity stance before an audit occurs.