top of page
DFS 23 NYCRR 500 Compliance Cyber Security Regulations 
Trojan Horse Security - Cyber Security Audits Penetration Testing Vulnerability & Risk Assessment Web Application Security Code Review



The New York State Department of Financial Services (“DFS”) assessed the threat to financial data systems and established the 23 NYCRR 500 regulation as a safeguard.

The 23 NYCRR 500 regulation requires companies to assess their risks and create a Cyber, IT security program to manage it. Corporate Boards now need to take this risk seriously. They will need to file an SEC / GLBA, PCI annual certification confirming compliance to the 23 NYCRR 500 regulation.

The DFS 23 NYCRR 500 assessment helps companies align to the regulation, create documentation as attestation of compliance and secure it's client data. Trojan Horse Security does this by focusing their attention and expert knowledge of the following applicable sections within the 23 NYCRR 500 regulation:

   Section 500.02 Cybersecurity Program
   Section 500.03 Cybersecurity Policy
   Section 500.04 Chief Information Security Officer
   Section 500.05 Penetration Testing and Vulnerability Assessments
   Section 500.06 Audit Trail
   Section 500.07 Access Privileges
   Section 500.08 Application Security
   Section 500.09 Risk Assessment
   Section 500.10 Cybersecurity Personnel and Intelligence.
   Section 500.11 Third Party Service Provider Security Policy
   Section 500.12 Multi-Factor Authentication
   Section 500.13 Limitations on Data Retention
   Section 500.14 Training and Monitoring
   Section 500.15 Encryption of Nonpublic Information
   Section 500.16 Incident Response Plan
   Section 500.17 Notices to Superintendent

Trojan Horse Security DFS 23 NYCRR 500 Compliance Cyber Security Regulations 
Trojan Horse Security - Cyber Security Audits Penetration Testing Vulnerability & Risk Assessment Web Application Security Code Review

Trojan Horse Security can work on the 23 NYCRR 500 regulation Certification of Compliance with the New York State Department of Financial Services Cybersecurity Regulations along with DFS Portal Filings. Is a comprehensive Information | Cyber Security Firm that can protect your corporate assets from a cyber or hack attack. Contact us today for a free consultation to find where your vulnerabilities really are, before an attacker helps themselves...









  • Chautauqua–Allegheny

  • Niagara Frontier

  • Finger Lakes

  • Thousand Islands

  • Central-Leatherstocking Region

  • Adirondack Mountains

  • Capital District

  • Catskill Mountains

  • Hudson Valley

  • New York City

  • Manhattan

  • Queens

  • Long Island

  • Albany 

  • Rochester

  • NYC

  • Brooklyn

  • Staten Island

  • Hudson Valley

  • Capital District

  • Mohawk Valley

  • North Country

  • Central New York

  • Southern Tier

  • Finger Lakes

  • Western New York

  • Vally Stream

  • Utica

DFS 23 NYCRR 500 regulation defines financial institutions as: "companies that offer financial products or services to individuals, like loans, financial or investment advice, or insurance". The Federal Trade Commission (FTC) has jurisdiction over financial institutions similar to, and including, these:


  • Non-bank mortgage lenders

  • Real estate appraisers

  • Loan brokers

  • Some financial or investment advisers

  • Debt collectors

  • Tax return preparers

  • Banks

  • Real estate settlement service providers.

Many companies collect personal information from their customers, including names, addresses, and phone numbers; bank and credit card account numbers; income and credit histories; and Social Security numbers. The DFS 23 NYCRR 500 regulation Act requires companies defined under the law as “financial institutions” to ensure the security and confidentiality of this type of information. As part of its implementation of the DFS 23 NYCRR 500 regulation Act, the NYS Laws issued the Safeguards Rule, which requires financial institutions under NYS jurisdiction to have measures in place to keep customer information secure. But safeguarding customer information isn’t just the law. It also makes good business sense. When you show customers you care about the security of their personal information, you increase their confidence in your company. The Rule is available at
DFS 23 NYCRR 500 regulation compliance is mandatory; whether a financial institution discloses nonpublic information or not, there must be a policy in place to protect the information from foreseeable threats in security and data integrity.


bottom of page