skip to Main Content


Stronghold Cyber Security is a veteran-owned cyber security company located near historic Gettysburg, Pennsylvania that provides cutting-edge security services to businesses throughout the country. Service offerings include regulatory compliance, penetration testing, advanced cyber risk management, along with customized cyber security programs.

Get In Touch

Phone: 1-888-277-8320
Phone: 717-918-3301
Address: Gettysburg, PA

Our Location

Does your financial institution fall under the NYDFS cybersecurity regulation 23 NYCRR 500? If so, we can help by getting you 23 NYCRR 500 compliant and KEEPING it that way!
NYDFS Cybersecurity Regulation: What Is It?

NYDFS Cybersecurity Regulation (23 NYCRR 500) is a set of regulations from the NY Department of Financial Services (NYDFS) which took effect on March 1, 2017 that requires financial institutions to enact a complete cyber security program.

23 NYCRR 500 Regulation: Who does it apply to?

Any entity that is supervised by the Department of Financial Services, including:

    • Banks
    • Credit Unions
    • Insurance Companies
    • Investment Companies
    • Mortgage Lenders
    • Financial Service Centers
    • Mortgage Lenders
    • Service Providers
    • Private Bankers
    • Brokers / Dealers

23 NYCRR 500 Regulation: Who is exempt?

There are limited exemptions to the NYDFS Cybersecurity Regulation on covered entities.  This does not mean that an entity is completely exempt from the 23 NYCRR 500 regulation, just that certain sections may not apply.  These exemptions are:

  • fewer than 10 employees, including any independent contractors, of the Covered Entity or its Affiliates located in New York or responsible for business of the Covered Entity, or
  • less than $5,000,000 in gross annual revenue  in each of the last three fiscal years from New York business operations of the Covered Entity and its Affiliates, or
  • less than $10,000,000 in year-end total assets

DFS Certificate of Compliance:

Per the December 21, 2018 DFS memorandum on the NYCRR cybersecurity regulation 23 NYCRR 500 / NYDFS certificate of compliance:  “DFS’s regulation requires each entity to conduct an annual review and assessment of its cybersecurity program’s achievements, deficiencies and overall compliance with regulatory standards and to certify the institution’s compliance with the regulation on an annual basis. The DFS compliance certification is a critical governance pillar for the cybersecurity program of all DFS regulated entities. The first certification deadline was February 15, 2018, which was successful and provided DFS with information from which we have been working to improve our processes. DFS currently is preparing for the second annual certifications of compliance due by February 15, 2019.”

23 NYCRR 500 Compliance: How To Get There

Some of the requirements for the NYDFS cybersecurity regulation include:

  • Maintaining a complete cyber security program which includes policies and procedures on how to detect, respond, and recover from a cyber security event, as well as how to fulfill applicable regulatory reporting obligations
  • Implementing a Chief Information Security Officer (CISO)
  • Maintaining a written cyber security policy
  • Perform periodic penetration testing for compliance and vulnerability assessments
  • Perform periodic risk assessments of information systems

This list may appear to be quite daunting.  However, Stronghold Cyber Security can assist with ANY and EVERY aspect of the NYDFS Cybersecurity Regulation, including the ongoing requirements of periodic assessments and penetration testing.  We not only GET your financial institution 23 NYCRR 500 compliant, we can KEEP it there!

The time is up: March 1, 2019 is the final deadline for NCYRR 500 compliance.

By March 1, 2019, all banks, insurance companies, and other financial services institutions and licensees regulated by DFS will be required to have a robust cybersecurity program in place that is designed to protect consumers’ private data; a written policy or policies that are approved by the Board of Directors or a Senior Officer; a Chief Information Security Officer to help protect data and systems; and controls and plans in place to help ensure the safety and soundness of New York’s financial services industry including encryption and multifactor authentication.

Want to know more about how we can help you with NYDFS cybersecurity compliance?  Get a FREE consultation to see how your business needs to comply with NYDFS (23 NYCRR 500).  Call 1-888-277-8320, email or fill out the form at the right to get started.

NYDFS Compliance
To have one of our NYDFS cyber security regulation experts contact you with a FREE 23 NYCRR 500 consultation, please fill out the form below.
What are you waiting for? Give us a call to see how Stronghold Cyber Security can assist your company with NYDFS Cybersecurity Regulation compliance! 1-888-277-8320
Back To Top