The Department of Financial Services (DFS) Cyber Security Regulation 23 NYCRR 500 is designed to promote the protection of customer information as well as the information technology systems of regulated financial services entities. This regulation requires each company to assess its specific risk profile and design a program that addresses its risks in a robust fashion. A regulated entity’s cybersecurity program must ensure the safety and soundness of the institution and protect its customers, and organizations must file an annual certification confirming compliance with these regulations.

Specific requirements include, but are not limited to:

• Implement and maintain written cybersecurity policies
• Designating a Chief Information Security Officer
• Implement multi-factor authentication
• Encrypt non-public information
• Develop an incident response plan