NYDFS Cybersecurity Regulation
Best for: Any NYDFS-licensed entity: state-chartered banks, mortgage brokers, insurance companies, licensed lenders, and money transmitters. Section 500.19 exempts entities with fewer than 20 employees (including independent contractors), under $5 million in New York gross annual revenue in each of the last three fiscal years, or under $10 million in total assets. Third-party service providers face indirect requirements through Section 500.11. If NYDFS licenses your operations, you must comply.
| Mandatory? | Mandatory for NY-licensed financial services companies |
| Who validates? | Annual self-certification to NYDFS Superintendent |
| Renewal | Annual certification |
| Scope | All DFS-licensed financial services companies operating in New York |
๐ New York Department of Financial Services (NYDFS) ยท NYDFS 23 NYCRR 500 (2023 amendments) Official source โ
Get Started
module "..." {
source = "nydfs23.compliance.tf/terraform-aws-modules/<module>/aws"
version = "<version>"
}What Compliance.tf Covers vs. What You Handle
What Compliance.tf automates
- Encryption at Rest: Checks encryption configuration on backup recovery points, API Gateway caches, CloudTrail logs, and CodeBuild artifacts. Each control confirms that KMS CMK or default encryption is active on the relevant resource.
- Encryption in Transit: Flags ACM certificates within 30 days of expiration and verifies that API Gateway stages enforce SSL certificates for backend integration. Surfaces TLS configuration gaps at the API layer before they become audit findings.
- Audit Logging and Trail Integrity: Verifies CloudTrail is enabled across all regions, S3 data events are captured, log file validation is active, and trails integrate with CloudWatch Logs. Also confirms logging is enabled on API Gateway and CodeBuild.
- Monitoring and Alerting: Checks that CloudWatch alarm actions are enabled and that log groups enforce a minimum 365-day retention period. Detects disabled alarms that would produce gaps in incident detection.
- Network Exposure and Access Controls: Confirms API Gateway stages are associated with WAF web ACLs, Auto Scaling launch configurations do not assign public IPs by default, and load-balanced Auto Scaling groups use health checks.
- Backup and Recovery: Validates that backup plans enforce a minimum 35-day retention period and that manual deletion of recovery points is disabled. Produces automated evidence of backup policy configuration for examiner review.
What you handle
- Encryption at Rest: Key rotation schedules, documented key management procedures per Section 500.15, and formal approval of any compensating controls where encryption cannot be applied.
- Encryption in Transit: Enforcing minimum TLS version policies (TLS 1.2 or higher per NYDFS guidance), managing certificate renewal workflows, and verifying encryption in transit for non-AWS services and internal traffic.
- Audit Logging and Trail Integrity: Determining which events qualify as material cybersecurity events under Section 500.06, configuring alerting on those events, and retaining audit trail records for the five-year period the regulation specifies.
- Monitoring and Alerting: Building and tuning alert rules for cybersecurity events, maintaining the incident response plan required by Section 500.16, and reporting qualifying events to NYDFS within 72 hours per Section 500.17(a).
- Network Exposure and Access Controls: Defining WAF rule sets appropriate to your threat profile, implementing the access privilege limitations under Section 500.07, and completing the access privilege reviews introduced by the 2023 amendment.
- Backup and Recovery: Regular recovery procedure testing, documented recovery time objectives, and the business continuity and disaster recovery plan now required under Section 500.16(c) of the 2023 amendment.
Controls by Category
Audit Trail (Section 500.06) (5 controls)
Section 500.06 requires audit trails sufficient to reconstruct material activity, including all financial transactions and privileged access events. Multi-region trail coverage, log file integrity validation, and centralized aggregation are table stakes. The recurring gap is log completeness: organizations capture management events but miss data-plane activity like S3 object access, and assessors know exactly where to look for it.
Data Retention and Backup (Section 500.13) (1 control)
Assessors want to see two things here: backup policies with enforced minimum retention windows, and deletion protection settings that prevent recovery points from being manually removed. The latter matters for ransomware and insider threat scenarios, and NYDFS examiners treat it as a control in its own right. Documented procedures for periodic data disposal round out the evidence package for Section 500.13.
Encryption of Nonpublic Information (Section 500.15) (4 controls)
The most common finding under Section 500.15 is certificates that are expired or within days of expiry, which can force unencrypted fallback connections. Beyond certificates, assessors check that caches, backups, and log storage all use encryption with properly managed KMS keys. Where encryption is infeasible, expect to produce documented compensating controls; undocumented gaps are treated as failures.
Monitoring and Incident Detection (Section 500.05, 500.14) (2 controls)
The 2023 amendment significantly expanded Section 500.14, adding continuous monitoring or periodic vulnerability assessments and penetration testing as explicit requirements. Active, actionable alarms are checked alongside retention periods: Section 500.06(a)(2) sets a five-year retention requirement for audit trail records, so a 365-day log group retention period satisfies the automated check but almost certainly does not satisfy the regulation.
Additional Controls (62)
AWS Database Migration Service (1)
AWS Lambda (1)
AWS Secrets Manager (1)
Amazon CloudWatch Logs (1)
Amazon DynamoDB (2)
Amazon EC2 (5)
compliance.tf moduleEC2 instances should have EBS optimization enabledcompliance.tf moduleEC2 instances should be in a VPCcompliance.tf moduleEC2 instances should not have a public IP addresscompliance.tf moduleEC2 instances should use IMDSv2compliance.tf moduleAmazon ElastiCache (1)
Amazon Kinesis (1)
Amazon OpenSearch Service (5)
compliance.tf moduleOpenSearch domains should have encryption at rest enabledcompliance.tf moduleOpenSearch domains should be in a VPCcompliance.tf moduleOpenSearch domains should have logging to CloudWatch Logs enabledcompliance.tf moduleOpenSearch domains node-to-node encryption should be enabledcompliance.tf moduleAmazon RDS (7)
compliance.tf moduleRDS DB instance backup should be enabledcompliance.tf moduleRDS DB instances should have deletion protection enabledcompliance.tf moduleRDS DB instance encryption at rest should be enabledcompliance.tf moduleRDS DB instances should have logging enabledcompliance.tf moduleRDS DB instances should have multiple AZ enabledcompliance.tf moduleRDS DB instances should prohibit public accesscompliance.tf moduleAmazon Redshift (6)
compliance.tf moduleRedshift clusters should have automatic snapshots enabledcompliance.tf moduleRedshift cluster encryption in transit should be enabledcompliance.tf moduleRedshift clusters should have audit logging and encryption enabledcompliance.tf moduleRedshift clusters should have KMS encryption enabledcompliance.tf moduleRedshift clusters should prohibit public accesscompliance.tf moduleAmazon S3 (10)
compliance.tf moduleS3 buckets should have default encryption enabledcompliance.tf moduleS3 buckets should have default encryption enabled using KMScompliance.tf moduleS3 buckets should have logging enabledcompliance.tf moduleS3 buckets should have object lock enabledcompliance.tf moduleS3 buckets should have policies that prohibit public accesscompliance.tf moduleS3 buckets should prohibit public read accesscompliance.tf moduleS3 buckets should prohibit public write accesscompliance.tf moduleS3 buckets should have versioning enabledcompliance.tf moduleS3 public access should be blocked at account levelcompliance.tf moduleAmazon SageMaker (4)
Amazon VPC (2)
Elastic Load Balancing (6)
compliance.tf moduleELB application load balancer deletion protection should be enabledcompliance.tf moduleELB application load balancers should be configured to drop HTTP headerscompliance.tf moduleELB application load balancers should drop invalid HTTP headerscompliance.tf moduleELB application and network load balancers should only use SSL or HTTPS listenerscompliance.tf moduleELB classic load balancers should have cross-zone load balancing enabledcompliance.tf moduleRelated Frameworks
NIST CSF โ ๐ข High overlap (70%)
NYDFS 23 NYCRR 500 maps closely to the NIST Cybersecurity Framework, and NYDFS has referenced NIST CSF in guidance documents. Risk assessment, incident response, and access control requirements align well across both. NIST CSF covers broader governance areas that NYDFS addresses through its own prescriptive requirements.
NIST 800-53 Rev 5 โ ๐ข High overlap (60%)
Many NYDFS technical controls (encryption, audit logging, access management) correspond to NIST 800-53 control families SC, AU, and AC. NIST 800-53 is far more granular, so organizations already compliant with 800-53 typically satisfy NYDFS requirements with minimal additional work.
SOC 2 โ ๐ก Medium overlap (55%)
SOC 2 Trust Services Criteria for Security, Availability, and Confidentiality partially overlap with NYDFS requirements around access controls, monitoring, and encryption. SOC 2 does not prescribe specific technical implementations, so a SOC 2 Type II report alone does not satisfy NYDFS certification requirements.