Do I need to Comply with NYDFS Cybersecurity for my Cryptocurrency Company?

Am I required to comply with NYSDFS's cyber requirements as a cryptocurrency company?

New York State Department of Financial Services made the 23 NYCRR Part 500 a cybersecurity requirement on March 1st, 2017. This regulation applies to organizations and agencies in the financial service industry. Commonly regulated entities include private bankers, cryptocurrency companies, mortgage loan providers, and insurance companies. 

Am I exempt from NYSDFS CRR 500?

The cybersecurity requirements of NYSDFS are complex, and typically require a full-time contractor, third-party cyber company, or Chief Information Security Officer (CISO) to enforce policies and oversee  the technology, reporting, policies, and submissions/notifications. 

If your company does not fall under the exceptions above,  you should consider adopting an effective cyber program which covers compliance requirements of NYS CRR 500.

Failure to comply or pass an audit will result not only in hefty financial penalties, it may generate bad press and public distrust in your company to securely store their data. In 2022, NYSDFS issued a $30 million dollar fine to Robinhood Crypto for deficiencies in their cyber program detailed below. 

  • Robinhood failed to comply with Section 500.08, practices for securely developing and testing in-house applications/application security
  • In 2020, RHC did not have a written business continuity and disaster recovery plan. Once the plan was established in November of 2020, it failed to detail critical systems, communications, training and testing, and data back-up. 
  • Robinhood failed to provide a telephone number on the complaints section of its website (and still does to this day) 
  • Robinhood failed to maintain adequate cybersecurity personnel.

In addition, under 23 NYCRR 500.17(a)(2), Cybersecurity Events must be reported to the Department if they “have a reasonable likelihood of materially harming any material part of the normal operation(s) of the Covered Entity.” 

Section 500.08 Application Security

Section 500.08 requires an entity to have a cybersecurity program with written procedures, guidelines, and standards that in-house applications, and developed in house applications adhere to. These policies must be periodically reviewed by the CISO.

Section 500.11 Third Party Service Provider Security Policy

When you bring in a new third-party vendor, your company becomes exposed to that vendor’s cybersecurity risks. The more third-party vendors with access to your sensitive data, the higher your risk becomes of cyber attacks and exploits. 

What are some third-party vendor regulations?

  1. Identification and risks assessment 
  2. Cybersecurity practices required to be met by the third-party vendor
  3. Due diligence/vendor vetting 
  4. Multifactor Authentication and various access controls
  5. Encryption of NPI (at rest, and in transit)
  6. Notice is required by the third-party to your company of cybersecurity events
  7. Representations and warranties related to NPI 

It is more important now than ever before to perform due diligence before bringing in a new technology partner or vendor. This is extremely important when selecting a high-risk vendor who will either be accessing NPI, or storing NPI on your entities behalf. 

Secure End Solution is hyper-focused on cybersecurity. We understand the risks involved as an MSP for financial service industries. We take a responsive and transparent approach with our clients, and continually re-train our knowledge with new technology. Our partnership with FCI Cybersecurity provides our team with additional separation of duties, checks and balances, and cybersecurity standards that other MSP’s cannot leverage.

Not sure where to start with the identification of third-party vendor access, controls, and required cybersecurity restrictions? Request a third-party vendor checklist. 

Section 500.10/.14 Cybersecurity Personnel and Intelligence + Training and Monitoring

Utilizing qualified cybersecurity personnel or a qualified third party to address cybersecurity risks such as the Log4j Vulnerability is a commonly overlooked requirement when adopting a cybersecurity program. This provider should provide your employees with cybersecurity training, be alerted to unauthorized login attempts on IT systems, and implement risk-based policies to control or limit access to nonpublic information. 

What should I be looking for in my Cyber Program or Provider?

  • Annual cybersecurity training for employees 
  • Email alerts/or notifications to new cyber vulnerabilities and threats
  • Least privilege access rights on IT systems
  • Monitoring and log retention for login attempts/excessive failures
  • Third-party vendor employees using MFA to access your systems, firewall, administrator accounts, or network(s).


Lower third-party vendor risk today.

Learn about what is required for an effective cyber program before an audit occurs.