IDC Names Securiti a Worldwide Leader in Data Privacy


US New York DFS Cybersecurity Regulations

Operationalize compliance with the most comprehensive PrivacyOps platform

Last Updated on December 12, 2023

Privacy Center
Fully Functional In Minutes

Elegant Consumer Frontend, Fully Automated Backend, Privacy Regulation Intelligent Everywhere.


The New York State Department of Financial Service Cybersecurity Regulations or 23 NYCRR 500 is a set of 23 cybersecurity requirements mandatory for all financial institutions registered in New York working under its Banking Law, Insurance Law, or Financial Services Law.

Presented by the New York State Department of Financial Services (DFS), this regulation came into effect on March 1st, 2017, after two separate rounds of feedback and comments from both the general public and the industry itself. The regulation requires all financial institutions to undertake rigorous assessments of the risks posed to their systems and operations and undertake robust cybersecurity measures to address these risks.

Organizations were given 180 days to comply with the law, with additional periods of 12, 18, and 24 months to comply with various sections of the regulation.

The Solution

Securiti offers organizations PI data discovery, DSR automation, documented accountability, and AI-process automation, among other privacy solutions, to ensure compliance with the New York State Department of Financial Services Cybersecurity Regulations.

Thanks to its state-of-the-art artificial intelligence and machine learning algorithm-based products, Securiti is a pioneer in offering enterprise solutions in data governance and compliance.

Request a demo today to learn how Securiti can aid you and your organization's compliance efforts.

NYDFS compliance Solution

With its state-of-the-art artificial intelligence and machine-learning-based tools, Securiti is a market leader in providing data governance and compliance solutions.

Request a demo today to learn how Securiti can aid you and your organization's compliance efforts.


Automate Risk Assessments & Audit Trails

Sections: 500.09, 500.02(b),500.03(m), 500.06

Organizations can easily automate and schedule regular risk assessments to ensure their practices are fully compliant with the requirements of 23 NYCRR 500.

Automatic Risk Assessment Audit
NYDFS Automatic Policy Alerts

Protect Nonpublic Information

Sections: 500.03(a), 500.15

Organizations can ensure all Nonpublic Information collected and retained by them is provided the appropriate protection by implementing security protocols such as encryption and tokenization.

Automate Incident Response Plan

Sections: 500.16, 500.17

Organizations can implement and automate every step of their data breach incident response plan to ensure a proactive approach is adopted, resulting in minimal damage.

Incident Response Plan
Vendor Risk Management

Fulfill Vendor Risk & Third Party Service Provider Management Requirements

Sections: 500.03(I), 500.11

Organizations can automate exhaustive regular risk assessments of vendors' and third parties' data practices to ensure they are compliant with the law's requirements.

Fulfill Data Governance & Classification Requirement

Sections: 500.03(b), 500.03(c)

Using data classification and data discovery, organizations can ensure all relevant nonpublic information is identified, classified, and all appropriate data governance controls are applied to ensure compliance with the regulation.

Data Governance and Asset Classification
Data Risk Explorer New York State Department of Financial Services Cybersecurity Regulations

Ensure Access Controls & Identity Management

Sections: 500.03(d), 500.07

By applying and monitoring strict access controls, organizations can ensure privilege to nonpublic information is only extended to authorized individuals, creating a secure infrastructural environment.

Automate System Security & Monitoring

Section: 500.05

Organizations can continuously monitor the security and access controls placed on Nonpublic Information to protect it from cybersecurity threats.

personal data monitoring tracking
DSR Workbench

Fulfill Data Retention Requirements

Section: 500.13

Organizations can apply data retention controls in real time to ensure they retain data for as long as it is required for business operations or other legitimate business purposes or by the law.

Facts Related To New York State Department of Financial Services Cybersecurity Regulation

Each organization subject to the NY DFS Cybersecurity Regulation:


Must appoint a Chief Information Security Officer (CISO) to oversee the implementation of the cybersecurity policy within the organization and have cybersecurity personnel and intelligence;


Must develop a cybersecurity program and policy for the protection of the Nonpublic Information stored on their Information Systems;


Must conduct regular risk assessments of its information systems to ensure cybersecurity risks to its business operations and the confidentiality, integrity and security of Nonpublic Information held by it are identified and mitigated through appropriate controls;


Is advised to implement Multi-Factor Authentication or Risk-Based Authentication controls internally to eliminate illegal or unauthorized access to critical information systems resources;


Must file a notice of exemption from the regulation with the NYDFS within 30 days of the determination that they are exempt. Organizations with fewer than 10 employees or having less than $5,000,000 in gross annual revenue from their New York operations over the past 3 fiscal years, or having less than $10,000,000 in year-end total assets are exempt from most major obligations of this regulation;


Must adhere to the regulation or risk enforcement by the Superintendent of Financial Services through hefty fines and civil penalties.

IDC MarketScape

Securiti named a Leader in the IDC MarketScape for Data Privacy Compliance Software

Read the Report