← Back to Resources

NY DFS Compliance Checklist

Interactive checklist to track your progress toward NY DFS 23 NYCRR 500 compliance. Check off items as you complete them.

0 of 29 items completed
0%

Designate a CISO

500.04Limited Exempt

Appoint a qualified Chief Information Security Officer responsible for overseeing the cybersecurity program.

Board Reporting

500.04Limited Exempt

CISO reports to the board at least annually on the cybersecurity program.

Senior Governing Body Oversight

500.04Limited Exempt

Senior governing body has sufficient understanding of cybersecurity matters.

Written Cybersecurity Policy

500.03

Implement and maintain a written cybersecurity policy covering all 14 required areas.

Policy Approval

500.03

Policies approved by senior officer or governing body.

Incident Response Plan

500.16

Written incident response plan addressing required elements.

Business Continuity & Disaster Recovery

500.16

Plans for recovery from cybersecurity events.

Access Privilege Management

500.07

Limit user access privileges and periodically review access rights.

Multi-Factor Authentication

500.12

Implement MFA for remote access and privileged accounts.

Password Policy

500.07

Enforce strong password requirements or equivalent controls.

Conduct Risk Assessment

500.09

Perform periodic risk assessments covering cybersecurity risks.

Update Risk Assessment

500.09

Review and update risk assessment annually or when material changes occur.

Annual Penetration Testing

500.05Limited Exempt

Conduct annual penetration testing from a qualified party.

Vulnerability Assessments

500.05Limited Exempt

Perform bi-annual vulnerability assessments.

Continuous Monitoring

500.05Limited Exempt

Implement continuous monitoring or periodic penetration testing.

Audit Trail

500.06

Maintain audit trails to detect and respond to cybersecurity events.

Encryption in Transit

500.15

Encrypt nonpublic information in transit over external networks.

Encryption at Rest

500.15

Encrypt nonpublic information at rest.

Data Retention Policy

500.13

Implement secure disposal of nonpublic information.

Security Awareness Training

500.14

Provide regular cybersecurity awareness training for all personnel.

Training Updates

500.14

Update training to address current threats and risks.

Third-Party Security Policy

500.11

Written policies for third-party service provider security.

Vendor Due Diligence

500.11

Assess third-party cybersecurity practices.

Vendor Contractual Requirements

500.11

Include cybersecurity requirements in vendor contracts.

Incident Response Plan

500.16

Documented plan for responding to cybersecurity events.

72-Hour Notification

500.17

Notify DFS within 72 hours of qualifying cybersecurity events.

Test Response Plan

500.16

Periodically test and update the incident response plan.

File Annual Certification

500.17

Submit certification of compliance by April 15th each year.

Maintain Certification Records

500.17

Keep documentation supporting certification for 5 years.

Need Help With Your Compliance Program?

Buffalo Sentinel automates evidence collection, tracks your compliance status, and generates audit-ready reports.

Start Free TrialView Pricing