NYDFS Cybersecurity Regulation
Best for: Any NYDFS-licensed entity: state-chartered banks, mortgage brokers, insurance companies, licensed lenders, and money transmitters. Section 500.19 exempts entities with fewer than 20 employees (including independent contractors), under $5 million in New York gross annual revenue in each of the last three fiscal years, or under $10 million in total assets. Third-party service providers face indirect requirements through Section 500.11. If NYDFS licenses your operations, you must comply.
๐ New York Department of Financial Services (NYDFS) ยท NYDFS 23 NYCRR 500 (2023 amendments) Official source โ
Get Started
module "..." {
source = "nydfs23.compliance.tf/terraform-aws-modules/<module>/aws"
version = "<version>"
}
What Compliance.tf Covers vs. What You Handle
What Compliance.tf automates
- Encryption at Rest: Checks encryption configuration on backup recovery points, API Gateway caches, CloudTrail logs, and CodeBuild artifacts. Each control confirms that KMS CMK or default encryption is active on the relevant resource.
- Encryption in Transit: Flags ACM certificates within 30 days of expiration and verifies that API Gateway stages enforce SSL certificates for backend integration. Surfaces TLS configuration gaps at the API layer before they become audit findings.
- Audit Logging and Trail Integrity: Verifies CloudTrail is enabled across all regions, S3 data events are captured, log file validation is active, and trails integrate with CloudWatch Logs. Also confirms logging is enabled on API Gateway and CodeBuild.
- Monitoring and Alerting: Checks that CloudWatch alarm actions are enabled and that log groups enforce a minimum 365-day retention period. Detects disabled alarms that would produce gaps in incident detection.
- Network Exposure and Access Controls: Confirms API Gateway stages are associated with WAF web ACLs, Auto Scaling launch configurations do not assign public IPs by default, and load-balanced Auto Scaling groups use health checks.
- Backup and Recovery: Validates that backup plans enforce a minimum 35-day retention period and that manual deletion of recovery points is disabled. Produces automated evidence of backup policy configuration for examiner review.
What you handle
- Encryption at Rest: Key rotation schedules, documented key management procedures per Section 500.15, and formal approval of any compensating controls where encryption cannot be applied.
- Encryption in Transit: Enforcing minimum TLS version policies (TLS 1.2 or higher per NYDFS guidance), managing certificate renewal workflows, and verifying encryption in transit for non-AWS services and internal traffic.
- Audit Logging and Trail Integrity: Determining which events qualify as material cybersecurity events under Section 500.06, configuring alerting on those events, and retaining audit trail records for the five-year period the regulation specifies.
- Monitoring and Alerting: Building and tuning alert rules for cybersecurity events, maintaining the incident response plan required by Section 500.16, and reporting qualifying events to NYDFS within 72 hours per Section 500.17(a).
- Network Exposure and Access Controls: Defining WAF rule sets appropriate to your threat profile, implementing the access privilege limitations under Section 500.07, and completing the access privilege reviews introduced by the 2023 amendment.
- Backup and Recovery: Regular recovery procedure testing, documented recovery time objectives, and the business continuity and disaster recovery plan now required under Section 500.16(c) of the 2023 amendment.
Controls by Category
Audit Trail (Section 500.06) (5 controls)
Section 500.06 requires audit trails sufficient to reconstruct material activity, including all financial transactions and privileged access events. Multi-region trail coverage, log file integrity validation, and centralized aggregation are table stakes. The recurring gap is log completeness: organizations capture management events but miss data-plane activity like S3 object access, and assessors know exactly where to look for it.
Data Retention and Backup (Section 500.13) (1 control)
Assessors want to see two things here: backup policies with enforced minimum retention windows, and deletion protection settings that prevent recovery points from being manually removed. The latter matters for ransomware and insider threat scenarios, and NYDFS examiners treat it as a control in its own right. Documented procedures for periodic data disposal round out the evidence package for Section 500.13.
Encryption of Nonpublic Information (Section 500.15) (4 controls)
The most common finding under Section 500.15 is certificates that are expired or within days of expiry, which can force unencrypted fallback connections. Beyond certificates, assessors check that caches, backups, and log storage all use encryption with properly managed KMS keys. Where encryption is infeasible, expect to produce documented compensating controls; undocumented gaps are treated as failures.
Monitoring and Incident Detection (Section 500.05, 500.14) (2 controls)
The 2023 amendment significantly expanded Section 500.14, adding continuous monitoring or periodic vulnerability assessments and penetration testing as explicit requirements. Active, actionable alarms are checked alongside retention periods: Section 500.06(a)(2) sets a five-year retention requirement for audit trail records, so a 365-day log group retention period satisfies the automated check but almost certainly does not satisfy the regulation.
compliance.tf module Log group retention period should be at least 365 days compliance.tf module Additional Controls (62)
AWS Database Migration Service (1)
AWS IAM (1)
AWS Lambda (1)
AWS Secrets Manager (1)
Amazon CloudWatch Logs (1)
Amazon DynamoDB (2)
compliance.tf module DynamoDB table point-in-time recovery should be enabled compliance.tf module Amazon EBS (1)
Amazon EC2 (5)
compliance.tf module EC2 instance should have EBS optimization enabled compliance.tf module EC2 instances should be in a VPC compliance.tf module EC2 instances should not have a public IP address compliance.tf module EC2 instances should use IMDSv2 compliance.tf module Amazon EFS (1)
Amazon EMR (1)
Amazon ElastiCache (1)
Amazon Kinesis (1)
Amazon OpenSearch Service (5)
compliance.tf module OpenSearch domains should have encryption at rest enabled compliance.tf module OpenSearch domains should be in a VPC compliance.tf module OpenSearch domains logs to AWS CloudWatch Logs compliance.tf module OpenSearch domains node-to-node encryption should be enabled compliance.tf module Amazon RDS (7)
compliance.tf module RDS DB instance backup should be enabled compliance.tf module RDS DB instances should have deletion protection enabled compliance.tf module RDS DB instance encryption at rest should be enabled compliance.tf module Database logging should be enabled compliance.tf module RDS DB instance multiple az should be enabled compliance.tf module RDS DB instances should prohibit public access compliance.tf module Amazon Redshift (6)
compliance.tf module AWS Redshift clusters should have automatic snapshots enabled compliance.tf module Redshift cluster encryption in transit should be enabled compliance.tf module Redshift cluster audit logging and encryption should be enabled compliance.tf module AWS Redshift clusters should be encrypted with KMS compliance.tf module Redshift clusters should prohibit public access compliance.tf module Amazon S3 (10)
compliance.tf module S3 bucket default encryption should be enabled compliance.tf module S3 bucket default encryption should be enabled with KMS compliance.tf module S3 bucket logging should be enabled compliance.tf module S3 bucket object lock should be enabled compliance.tf module S3 bucket policy should prohibit public access compliance.tf module S3 buckets should prohibit public read access compliance.tf module S3 buckets should prohibit public write access compliance.tf module S3 bucket versioning should be enabled compliance.tf module S3 public access should be blocked at account level compliance.tf module Amazon SNS (1)
Amazon SageMaker (4)
Amazon VPC (2)
compliance.tf module VPC subnet auto assign public IP should be disabled compliance.tf module Elastic Load Balancing (6)
compliance.tf module ELB application load balancer deletion protection should be enabled compliance.tf module ELB application load balancers should be configured to drop HTTP headers compliance.tf module Application Load Balancer should be configured to drop invalid http headers compliance.tf module ELB application and network load balancers should only use SSL or HTTPS listeners compliance.tf module ELB classic load balancers should have cross-zone load balancing enabled compliance.tf module Other (4)
Related Frameworks
Frequently Asked Questions
Does 23 NYCRR 500 apply to my company if we are not headquartered in New York?
Yes, if you hold any license, registration, charter, or authorization under New York Banking Law, Insurance Law, or Financial Services Law. Headquarters location is irrelevant. An insurance company domiciled in Delaware but licensed to sell policies in New York is a covered entity. The test is whether NYDFS has regulatory authority over your operations.
What changed with the 2023 amendment, and when do the new requirements take effect?
The November 2023 Second Amendment introduced a new 'Class A company' designation with stricter requirements (independent audits, endpoint detection, SIEM), added explicit business continuity and disaster recovery planning under Section 500.16(c), expanded board and senior management governance obligations, and tightened the 72-hour incident notification window. Compliance deadlines are phased: some provisions took effect April 2024, others November 2024, with the final wave due November 2025.
What does the annual certification process require?
By April 15 each year, the covered entity's highest-ranking executive or CISO must file a certification of compliance with NYDFS through the DFS cybersecurity portal, covering the prior calendar year. If full compliance cannot be certified, the entity must file an acknowledgement of noncompliance instead, identifying deficiencies and a remediation timeline. Filing a false certification carries potential liability.
What are the penalties for noncompliance?
NYDFS can impose civil monetary penalties, issue consent orders, or revoke licenses. Penalty amounts are not capped by the regulation and are determined case by case. NYDFS has issued multi-million dollar penalties in enforcement actions, including a $5 million penalty against a title insurance company in 2024. The 2023 amendment also introduced personal liability provisions for senior officers who certify compliance in bad faith.
Do the limited exemptions in Section 500.19 actually reduce compliance burden?
Partially. Qualifying small entities (fewer than 20 employees, under $5M in New York gross revenue, or under $10M in total assets) are exempt from requirements like designating a CISO, conducting penetration testing, and maintaining an incident response plan. Risk assessments, access controls, personnel training, and encryption of nonpublic information still apply. The exemption is narrower than most organizations expect, and you must file a notice of exemption with NYDFS to claim it.