Definitions (Section 500.01)
Does your company have documented definitions for key terms used in the regulation, including covered entity, nonpublic information, and Cybersecurity event?
Cybersecurity Program (Section 500.02):
Does your company maintain a written Cybersecurity program, subject to annual independent audits?
Cybersecurity Policies (Section 500.3):
Does your company have documented Cybersecurity policies that address various risks and operational needs, aligned with the regulation's requirements?
Chief Information Security Officer (Section 500.4):
Does your company mandate appointing a Chief Information Security Officer responsible for overseeing and implementing the Cybersecurity program and policy?
Penetration Testing and Vulnerability Management (Section 500.5)
Does your company have documented procedures for conducting regular penetration testing and vulnerability assessments based on your risk assessment?
Audit Trail (Section 500.6)
Does your company have an audit trail system in place that logs and monitors Cybersecurity events?
User Access Controls (Section 500.7)
Does your company have documented access control policies and procedures that limit user access privileges based on the principle of least privilege?
Application Security (Section 500.8):
Does your company have secure development practices in place for in-house developed applications, aligned with industry best practices?
Risk Assessments (Section 500.9)
Does your company conduct regular risk assessments that identify, assess, and prioritize Cybersecurity risks, as required by the regulation?
Cybersecurity Personnel and Intelligence (Section 500.10
Does your company have a plan for staffing and training Cybersecurity personnel to manage and respond to threats, aligned with the regulation's recommendations?
Managing Third-Party Service Provider Risks (Section 500.11)
Does your company have documented policies and procedures for managing risks associated with third-party service providers, as required by the regulation?
Multi-Factor Authentication (Section 500.12)
Have you implemented multi-factor authentication for privileged access and other access?
Limitations on Data Retention (Section 500.13)
Does your company have documented policies and procedures for data retention and destruction of nonpublic information?
Training and Monitoring (Section 500.14)
Does your company provide regular Cybersecurity awareness training for all personnel?
Encryption of Nonpublic Information (Section 500.15)
Does your company have documented procedures for encrypting nonpublic information at rest and in transit?
Incident Response Plan (Section 500.16)
Does your company have a documented incident response plan that outlines procedures for identifying, containing, eradicating, and recovering from Cybersecurity incidents?
Reporting of Cybersecurity Events (Section 500.17)
Does your company have documented procedures for reporting Cybersecurity events to the Superintendent?
Sensitive Data Confidentiallity (Section 500.18)
Does your company discuss ensuring the confidentiality of sensitive data?
Small / Less Complex Entities Exemptions (Section 500.19)
If applicable, have you determined if your organization qualifies for any of the exemptions for small or less complex entities?
Enforcement Measures / Compliance Timelines (Section 500.20)
Does your company have detailed enforcement measures and compliance timelines?
Notices to the Superintendent (Section 500.21)
Have you identified any applicable transition periods for achieving compliance with specific sections of the regulation?
Transition Periods for Compliance (Section 500.22)
Do any grace periods (transition periods) apply to meeting certain requirements (sections) of the NYDFS Part 500 regulation?
