Slash Command

/assess

NYDFS 23 NYCRR 500 compliance readiness assessment

Install

npx claudepluginhub rifh2000/claude-grc-engineering. --plugin nydfs

Prompt Preview

# NYDFS Assessment

Evaluates organizational readiness for New York Department of Financial Services (NYDFS) 23 NYCRR 500 cybersecurity requirements.

## Arguments

- `$1` - Entity type (required: covered-entity, limited-exemption, full-scope)
- `$2` - Assessment scope (optional: full, gap-analysis, annual-certification)

## NYDFS 23 NYCRR 500 Overview

**Effective Date**: March 1, 2017 (with phased implementation through 2019)
**Amended**: November 1, 2023 (significant updates)
**Applicability**: Financial services institutions operating in New York State
**Annual Certification**: Required...

Command Content

Other plugins with /assess

/assess

Assesses code, designs, or approaches across dimensions like correctness, maintainability, security, performance; rates 0-10 with pros/cons and recommendations.

AskUserQuestionReadGrep+8

ork

133

/assess

Assesses a local repo against a wiki's research and market landscape, producing gap analysis, opportunities, and competitive insights.

ReadWriteEdit+10

wiki

/assess

Assesses CIS Controls v8 compliance for specified Implementation Group (IG1/IG2/IG3), with optional full, gap-analysis, or specific-control scope.

cis-controls

/assess

Assesses HITRUST CSF readiness for specified type (i1, r2, e1) and optional scope, producing readiness score, domain breakdowns, gap analysis, and remediation roadmap.

hitrust

/assess

Assesses US ITAR and EAR export controls compliance readiness across 7 controls each plus jurisdiction determination. Supports itar/ear/both scopes and quick/detailed depths.

us-export

/assess

Assesses Protected B (PBMM) compliance readiness against ITSG-33 controls, evaluating data residency, access control, MFA, auditing, and encryption in AWS, Azure, GCP regions. Supports classification levels and assessment types.

pbmm

Stats

Parent Repo Stars0

Parent Repo Forks0

Last CommitApr 18, 2026

Used By2 plugins

Actions

View Source View Plugin View on GitHub View README

NYDFS Assessment

Evaluates organizational readiness for New York Department of Financial Services (NYDFS) 23 NYCRR 500 cybersecurity requirements.

Arguments

$1 - Entity type (required: covered-entity, limited-exemption, full-scope)
$2 - Assessment scope (optional: full, gap-analysis, annual-certification)

NYDFS 23 NYCRR 500 Overview

Effective Date: March 1, 2017 (with phased implementation through 2019) Amended: November 1, 2023 (significant updates) Applicability: Financial services institutions operating in New York State Annual Certification: Required by April 15th each year

Entity Types

Type	Description	Requirements	Exemptions
Covered Entity	<10 employees, <$5M revenue, <$10M assets	Full compliance	Limited exemptions available
Limited Exemption	Qualifies for certain exemptions	Reduced requirements	Must file exemption notice
Full Scope	Does not qualify for exemptions	All 23 sections apply	No exemptions

Covered Entities Under 23 NYCRR 500:

Banks, trust companies, private bankers
Insurance companies, agents, brokers
Licensed lenders, mortgage companies
Money transmitters
Any entity operating under NY banking/insurance law

23 Sections of 23 NYCRR 500

Governance and Risk Management

500.02 - Cybersecurity Program

Risk-based cybersecurity program required
Written policies and procedures
Annual risk assessment
Protects confidentiality, integrity, availability

500.03 - Cybersecurity Policy

Board-approved written policy
Senior leadership oversight
Addresses 9 required areas (encryption, MFA, monitoring, etc.)

500.04 - Chief Information Security Officer (CISO)

Designated CISO required
Can be employee, affiliate, third-party
Reports to Board or senior officer
Oversees cybersecurity program

500.09 - Risk Assessment

Annual risk assessment required
Documented methodology
Identifies reasonably foreseeable threats
Informs cybersecurity program design

Technical Controls

500.06 - Audit Trail

Maintain audit logs
Monitor authorized user activity
Detect unauthorized access
Reconstruct transactions

500.07 - Access Privileges

Limit user access privileges
Periodic review of access rights
Disable/modify access promptly when access no longer required
Annual recertification

500.11 - Multi-Factor Authentication (MFA)

MFA required for:
- Accessing internal networks from external networks
- Privileged accounts
- Accounts accessing nonpublic information
Risk-based implementation acceptable

500.12 - Limitations on Data Retention

Dispose of nonpublic information per schedule
Disposition in accordance with policies
Not retained longer than reasonably necessary

500.14 - Training and Monitoring

Regular cybersecurity awareness training
Personnel updates when needed
Monitor activity to detect threats

500.15 - Encryption of Nonpublic Information

Encryption in transit and at rest
Risk-based approach acceptable
If not encrypted, compensating controls required
CISO-approved encryption standards

Incident Response and Business Continuity

500.16 - Incident Response Plan

Written plan for cybersecurity events
Include goals, procedures, roles
Address internal processes, external communications
Test annually

500.17 - Business Continuity and Disaster Recovery

Written BC/DR plan
Address data backup and recovery
Response to disruption
Test annually

500.19 - Notices to Superintendent

Notify NYDFS within 72 hours of cybersecurity events
Events affecting normal operations or nonpublic information
Submit notice electronically

Third-Party Management

500.10 - Cybersecurity Personnel and Intelligence

Qualified cybersecurity personnel
Stay current on threats and countermeasures
Threat intelligence updates

500.11 - Third-Party Service Provider Security Policy

Written policy on third-party service providers
Identify, assess, monitor risks
Due diligence before engagement
Contractual protections
Annual review

Vulnerability Management

500.05 - Penetration Testing and Vulnerability Assessments

Annual penetration testing
Bi-annual vulnerability assessments
Based on identified risks
Conducted by qualified personnel
Remediate critical vulnerabilities promptly

500.08 - Application Security

Written procedures for secure application development
Periodic assessment and testing
Address secure coding practices

Additional Requirements

500.13 - Limitations on Wireless Access

Authorize and monitor wireless access points
Encryption for wireless networks
Review periodically

500.18 - Material Changes

Notify Superintendent of material changes to CISO designation
15 days advance notice

500.20 - Exemptions

Limited exemptions available for small entities
Must file notice with Superintendent
Exemptions for: MFA, annual pen test, CISO, some policies

500.23 - Effective Dates

Phased implementation (2017-2019)
Amendment effective November 1, 2023
Annual certification due by April 15

2023 Amendments (Key Changes)

Expanded Coverage:

Applies to all entities operating under NY banking/insurance law
Reduced exemption thresholds

Enhanced Requirements:

Class A directors must oversee cybersecurity risk (banks)
Privilege access management detailed
Encryption requirements strengthened
Incident response notification timeline to 72 hours
Business continuity testing requirements
Asset inventory and classification required

New Definitions:

Affiliate, Authorized User, Privileged Account
Senior Governing Body clarified

Assessment Output

Compliance Score: Overall readiness percentage across 23 sections
Section-by-Section Status:
- Compliant: Meets requirements
- Partial: Some controls in place
- Non-Compliant: Significant gaps
- Not Applicable: Exemption claimed
Critical Gaps:
- CISO designation
- Annual certification readiness
- Penetration testing status
- MFA deployment
- Incident response notification process
- Third-party risk management
Annual Certification Preparedness: Board certification due April 15
Remediation Roadmap: Prioritized action plan
Timeline to Compliance: Projected compliance date
Cost Estimate: Budget for remediation

Common Compliance Gaps

CISO Requirements (500.04):
- No designated CISO
- CISO not reporting to Board/senior leadership
- Insufficient cybersecurity expertise
Annual Certification (500.17):
- Late submission (past April 15 deadline)
- Incomplete certification
- Board not reviewing
Penetration Testing (500.05):
- Not conducted annually
- Not risk-based
- Critical vulnerabilities not remediated
MFA (500.11):
- Not implemented for all required access
- Weak MFA (SMS-based)
- Exemptions not documented
Incident Response (500.16, 500.19):
- No written IR plan
- Plan not tested
- 72-hour notification process not established
Third-Party Risk (500.11):
- No formal TPRM program
- Vendor contracts lack cybersecurity requirements
- No ongoing monitoring
Encryption (500.15):
- Data at rest not encrypted
- Compensating controls not documented
- Encryption standards not CISO-approved

Annual Certification Process

Due Date: April 15 (for prior calendar year) Certifier: Board of Directors or Senior Officer Submission: Electronic via NYDFS portal Statement: Compliance with 23 NYCRR 500 Attachments: May include exemptions, explanations

Certification Statement Requires:

Review of cybersecurity program
Attestation of compliance (or explanation of non-compliance)
Material changes since last certification
Board/senior officer signature

Examples

# Full assessment for covered entity
/nydfs:assess covered-entity full

# Gap analysis for limited exemption entity
/nydfs:assess limited-exemption gap-analysis

# Annual certification readiness check
/nydfs:assess full-scope annual-certification

Key Resources

23 NYCRR 500: Full regulation text
NYDFS Cybersecurity Resource Center: Guidance documents
FAQ: NYDFS published FAQs on compliance
Amendment Summary (2023): Key changes from November 2023 updates
Superintendent's Reports: Annual cybersecurity industry reports