NYDFS Cybersecurity Compliance: Maintaining Continuing Compliance

Advisory Cyber NYDFS

The New York Department of Financial Services (NYDFS) recently announced its first enforcement action under its cybersecurity regulations (23 NYCRR 500), against large title insurance provider First American Title Insurance. The enforcement action cited the company’s failure to comply with numerous aspects of the regulations, such as training, data classification, restricting access, and encryption of Non-Public Information (NPI).

NYCRR 500 requires covered entities – which include banks, insurance companies, and other financial services institutions regulated by NYDFS – to establish and maintain a risk-based cybersecurity program and ensure compliance with rigorous cybersecurity requirements. The regulations also stipulate that senior management must take responsibility for the organization’s cybersecurity program and file an annual certification that confirms compliance. 

The first set of deadlines for the initial certifications concluded on June 1, 2020 (postponed from Feb. 15, 2020, due to the COVID-19 pandemic). However, companies must be proactive in remaining compliant with the regulations.

To help you with the continual cycle of compliance required by NYDFS, ask yourself the following key questions: 

  • Is our risk register reviewed and updated?
  • If you have deployed new applications or services that access Non-Public Information (NPI):
    • Have we confirmed that NPI is encrypted both at rest and in transit?
    • Have we confirmed that user access to the NPI is limited and that two-factor authentication is implemented for remote access?
  • Have we provided cybersecurity awareness training to all new staff who have access to NPI? Have we refreshed the training of existing staff?
  • Have we refreshed the due diligence of vendors who process, access, or store NPI on the company’s behalf? Have we included new vendors in the due diligence process?

How CohnReznick can help

CohnReznick understands the business of financial services, the need to safeguard valuable data assets, and today’s sophisticated cybersecurity threats. We also have deep experience with the risk-based technologies, processes, and people skills needed to develop and implement enterprise cybersecurity programs.

If you need help assessing your organization’s readiness for continuing compliance with NYDFS 23 NYCRR 500, we can help you in the following areas:

CISO and board reporting

  • Assess cybersecurity policies and procedures
  • Review your annual report on your cybersecurity program, material risks, and cybersecurity incidents

Penetration testing and vulnerability assessment

  • Assess external penetration testing and vulnerability assessment policies
  • Review policies and testing reports of external hosting providers
  • Evaluate the scope of and test plans for penetration testing

Encryption of Non-Public Information (NPI)

  • Interview company subject matter experts (SMEs) to understand encryption policies for data in transit and at rest
  • Review data classification standards

Multifactor authentication (MFA)

  • Evaluate current MFA deployment
  • Review access management policies
  • Appraise application risk rating methodology
  • Determine if MFA is enabled on high-risk applications

Audit trails

  • Interview company stakeholders to understand current logging and monitoring processes
  • Review data classification and retention policies for NPI 
  • Review logs of systems that handle financial transactions

Data retention

  • Evaluate the organization’s secure data disposal policy
  • Determine that the policy is operational and effective

Application security

  • Review the company’s Software Development Life Cycle (SDLC) to evaluate code review, segregation of duties, and separation of development, testing, quality assurance (QA), and production environments
  • Review any related policies and procedures per OWASP’s Application Security Verification Standard
  • Review change management tickets
  • Assess active directory (AD) configurations for enforcement of segregation of duty


  • Evaluate access management processes and procedures
  • Review access management system logs
  • Assess data inventory classification to determine if sensitive data are encrypted at rest and in transit

Cybersecurity awareness and training

  • Review security training policy and material
  • Review the training log

Third-party risk assessment

  • Review vendor classification
  • Design the vendor due diligence process
  • Perform vendor due diligence


Daryouche Behboudi, Managing Director, CohnReznick Advisory


Subject matter expertise

  • Bhavesh Vadhani
    Contact Bhavesh Bhavesh+Vadhani bhavesh.vadhani@cohnreznick.com
    Bhavesh Vadhani

    CISA, CRISC, CGEIT, PMP, CDPSE, Principal, Global Leader, Cybersecurity, Technology Risk, and Privacy

  • Behboudi Daryouche
    Contact Daryouche Daryouche+Behboudi daryouche.behboudi@cohnreznick.com
    Daryouche Behboudi

    Advisory Managing Director

  • Close


    Let’s start a conversation about your company’s strategic goals and vision for the future.

    Please fill all required fields*

    Please verify your information and check to see if all require fields have been filled in.

    Please select job function
    Please select job level
    Please select country
    Please select state
    Please select industry
    Please select topic

Related services

This has been prepared for information purposes and general guidance only and does not constitute legal or professional advice. You should not act upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is made as to the accuracy or completeness of the information contained in this publication, and CohnReznick LLP, its partners, employees and agents accept no liability, and disclaim all responsibility, for the consequences of you or anyone else acting, or refraining to act, in reliance on the information contained in this publication or for any decision based on it.