What is New York state’s DFS Regulation 23?

The Department of Financial Services (DFS) Cyber Security Regulation 23 NYCRR 500 is designed to promote the protection of customer information as well as the information technology systems of regulated financial services entities. This regulation requires each company to assess its specific risk profile and design a program that addresses its risks in a robust fashion. A regulated entity’s cybersecurity program must ensure the safety and soundness of the institution and protect its customers, and organizations must file an annual certification confirming compliance with these regulations.

Specific requirements include, but are not limited to:

  • Implement and maintain written cybersecurity policies
  • Designating a Chief Information Security Officer
  • Implement multi-factor authentication
  • Encrypt non-public information
  • Develop an incident response plan

When did DFS Regulation 23 go into effect?

The regulation went into effect on March 1, 2017.

What are the penalties for failing to comply with DFS Regulation 23?

Noncompliance could provide the basis for the DFS or consumers to make claims against banks, insurers and other financial services firms for breach of certification.