New York State Department of Financial Services · NY
Resource to Assist Small Businesses with Development of Cybersecurity Program, Pursuant to DFS Cybersecurity Regulation
May 13, 2024
Summary
The NY DFS has issued a model Cybersecurity Program Template to assist individual licensees and small entities in meeting the requirements of 23 NYCRR Part 500. While usage of the template does not guarantee compliance, it serves as a guide for implementing mandatory security controls, risk assessments, and asset tracking.
Industry Letter
Guidance Letter
May 13, 2024
To: DFS-Regulated Independent Insurance Agents and Mortgage Loan Originators
Re: Resource to Assist Small Businesses with Development of Cybersecurity Program, Pursuant to DFS Cybersecurity Regulation
The New York State Department of Financial Services’ (DFS) Cybersecurity Regulation 23 NYCRR Part 500 (Cybersecurity Regulation) requires covered entities, including individual licensees and single person regulated entities, to maintain a cybersecurity program.*
Pursuant to the Cybersecurity Regulation, covered entities must maintain a cybersecurity program designed to identify and assess cybersecurity risks; protect nonpublic information (such as confidential customer information or sensitive business information) and the computers, phones, and other electronic devices storing such information from unauthorized access and other malicious acts; detect, respond, and recover from cybersecurity events; and comply with applicable regulatory reporting obligations.
To assist individual licensees and single person regulated entities in creating a cybersecurity program, DFS has developed a model Cybersecurity Program Template. This resource prompts licensees to carefully consider and address the core concepts of a cybersecurity program in order to help create a program that complies with the requirements of the Cybersecurity Regulation. The template also includes frameworks for developing and tracking asset inventories, risk assessments, multi-factor authentication exceptions, and third-party service providers. This template is not a substitute for independently evaluating any business, legal, or other issues, and completion does not assure compliance with the Regulation.
The Cybersecurity Program Template is available to download via the Department’s Cybersecurity Resource Center. For more information about the Cybersecurity Regulation, including its requirements, please visit the DFS website.
*Note: Entities with full exemptions pursuant to Section 500.19(b), (e) or (g), or limited exemptions pursuant to Section 500.19(c) or (d), are not required to maintain a cybersecurity program. The Department’s 'Am I Exempt from DFS's Cybersecurity Regulation?' Flowchart can help licensees determine their exemption qualification.
Common questions
- What does "Resource to Assist Small Businesses with Development of Cybersecurity Program, Pursuant to DFS Cybersecurity Regulation" cover?
- The NY DFS has issued a model Cybersecurity Program Template to assist individual licensees and small entities in meeting the requirements of 23 NYCRR…
- Which agency issued this update?
- This update was issued by New York State Department of Financial Services.
- When was it published?
- It was published on May 13, 2024.
Related updates
- Sigue Corporation Settlement Agreement and Consent Order issued by the Division of Banking
- Agreed Order
- AMENDED Amerbank LLC/Dolare LLC
- Ultralight FS,. Inc., formerly known as Obopay, Inc., also doing business as Obopay USA
- Updated Nonbank Ransomware Self-Assessment Tool (R-SAT)
- Consent Order Sigue Corporation