5 things you should know about the September DFS deadline

And the necessary steps for full 23 NYCRR 500 Compliance

For the thousands of NY financial institutions covered by DFS’s sweeping data security regulation, yet another deadline approaches on September 3, 2018. We break down 5 required actions to take by that date to ensure you aren’t left in the dust.

23 NYCRR Part 500 officially went into effect on March 1, 2017. Almost one year later, on February 15, 2018, all covered entities were required to submit the first certification of compliance under 23NYCRR 500. On March 1st, covered entities had to be compliant with Sections 500.04(b), 500.05, 500.09. 500.12, and 500.14(b). The next major deadline will take place on September 3, 2018 as the eighteen-month transitional period ends, and covered entities are required to be compliant with the remaining 23NYCRR’s sections (specifically 500.08, 500.13, 500.13(a) and 500.15). Overwhelmed yet? Not to worry, that’s why there are experts like us to guide you through this complex process. And will help break down this beast of a regulation (to likely be rolled out nation-wide after New York State), into palatable, actionable steps so that your financial or insurance company is not only compliant but has a streamlined data security protocol as a result.

With the looming deadline less than 45 days away, MDS recommends the follow steps be taken by or before September 3rd.

  1. Implement an Audit Trail System (500.06)

Covered entities must implement, “to the extent applicable and based on its Risk Assessment”, an audit trail system designed to manage and track data “to reconstruct material financial transactions sufficient to support normal operations and obligations” in addition to track cybersecurity events. MDS compliance experts can implement the necessary auditing solution that allows you to comply with DFS requirements. While most institutions likely maintain transaction data, more rigorous tracking will be required to ensure an adequate lifecycle transaction information, potential intrusions, and/or losses. Audit records will need to be retained for at least five years for material financial transactions, and three years for cybersecurity events.

  1. Strict Application Security (500.08)

All companies covered by 23 NYCRR 500 will be required to have “written procedures, guidelines and standards” in place to ensure “secure development practices” for all software created internally and used by the organization. It is also required to have procedures in place “for evaluating, assessing, or testing the security of externally developed applications (such as third-party software), used within the company. Such security policies would be tested by either a contracted company (such as MDS) hired to monitor said applications, or by the company’s CISO (Chief Information Security Officer) or DPO (Data Protection Officer). Note MDS provides both CISO and DPO services. Learn more about these services.

  1. Limitations to Data Retention (500.13)

In contrast to how this regulation requires that organizations maintain an audit trail of data, there are also limitations on the data retention allowed. Policies and procedures are required for the secure, periodic disposal of non-public information (“NPI”) that is no longer necessary for business operations, except when such information is otherwise required to be retained by law, or when targeted disposal is not reasonably feasible due to the manner the information is maintained. An organization will also need to provide proof that this data was disposed of.

  1. Access Monitoring (500.14).

It is required that policies are developed for the continued monitoring of authorized users and detection of unauthorized users, along with regular cybersecurity awareness training. While a version of this is often already in place, as of September 3rd, these documented policies and procedures will need to be part of the company’s overall cybersecurity program. This is done to ensure “procedures and controls designed to monitor the activity” of authorized users of the company’s systems, as well as controls directed at detecting “unauthorized access or use of, or tampering with” non-public data by authorized users is implemented and monitored on an ongoing basis.

Make sure your organization is compliant with DFS

  1. Encryption of non-public information (500.15)

Lastly, covered entities must have “controls” in place to protect non-public information both in transit and at rest. For DFS, this control can come in the form of encryption. If encrypting non-public information is not possible, covered entities should use “alternate compensating controls” to secure this information upon approval of the CISO. When available, encryption should be employed to protect NPI held or transmitted by a covered organization both in transit over external networks or at rest.


Let the experts at MDS work to ensure your organization is compliant with DFS so you can focus on what’s important: growing your business. Check out our additional compliance resources now, which includes checklists, recorded webinars, and assessments designed to assist you on this compliance journey.

By Jarra Gruen, MDS

Reach out to an MDS compliance expert now and we will get back to you shortly!

<iframe src="https://www.mdsny.com/test3.html" allowtransparency="true" width="100%" height="650px" type="text/html" frameborder="0" style="border:0"></iframe>