Are you compliant with the latest NYS cybersecurity regulation, 23 NYCRR Part 500, released by the Department of Financial Services?

 

Compliance Services

 

Roles/Policies/Controls

Vulnerability Analysis/Penetration Testing

Training/Continuous Monitoring

 

Contact us today to ask for a free consultation.

 

 

 

 

FAQs

If your organization is supervised by the Department of Financial Services, you are more than likely required to comply. Covered entities, defined as DFS-regulated individuals and entities required to comply with the regulation, include partnerships, corporations, branches, agencies, and associations operating under a license, registration, charter, certificate, permit, accreditation, or similar authorization under Banking Law, the Insurance Law, of the Financial Services Law. Visit the exemption flowchart on the NYS DFS page to learn more.

Yes, unless you qualify for an exemption to the compliance regulation. Visit the NYS Cybersecurity Resource Center for more information.

The regulation defines three classes of businesses that are required to comply, which are small businesses, Class A businesses, and other covered entities. Each of these categories has different requirements that are outlined in the below resources.

The New York State Department of Financial Services (NYS DFS) imposes a range of penalties for non-compliance. Fines can run up to $1,000 per violation according to the NYS Financial Services Law Section 408. All covered entities are required to submit an annual certification. 

Only if a cybersecurity incident was revealed to impact them (e.g., reporting extortion payments, customer data breaches, etc.). The SHIELD ACT regarding NY’s notification law for cybersecurity breaches, requires that companies notify their customers that have been impacted by a cybersecurity event. Visit the NYS Cybersecurity Resource Center for more information.

NY is starting to implement stricter regulations regarding MFA. Starting Nov. 1, 2025, covered entities must use MFA for any authorized user to access the organization’s information systems. Visit the NYS Cybersecurity Resource Center for more information.

No. NYS encourages frameworks that support the needs of the organization. However, NYS also recommends the NIST Cybersecurity Framework or the CRI Profile as optional structures. Visit the NYS Cybersecurity Resource Center for more information.

 

Contact Our Team of Compliance Experts Today

Our team will enable you to comply with each section of the 23 NYCRR Part 500 regulation and more importantly, reduce your risk posture while supporting secure and reliable operations. 

Email Cyber@quanterion.com to schedule a free consultation identifying your unique needs and our compliance experts may assist. You can also call (315) 801-7777 or (877) 808-0097 (Toll Free).

Stay up-to-date! Sign up for our cybersecurity email list.