NYDFS Cybersecurity

NYDFS Cybersecurity Risk Assessment (23 NYCRR 500.9)

The short version

The NYDFS Cybersecurity Regulation makes the risk assessment the foundation of a covered entity's cybersecurity program. Under 23 NYCRR 500.9, the entity must conduct a risk assessment of its information systems, sufficient to inform the design of the program, and the program's controls are then required to be based on it. The 2023 amendments require the risk assessment to be reviewed and updated at least annually and whenever a change in the business or technology materially affects the entity's cyber risk.

Part 500 is built outward from the risk assessment. The regulation does not just ask for one; it requires that the cybersecurity program, the policies, and many of the specific controls be based on it. A covered entity that cannot show a current, adequate risk assessment has a gap at the center of its program, not at the edge. This guide covers what 500.9 requires, what the assessment must cover, how often it updates, and how it drives the rest of the program.

What 500.9 requires

Section 500.9 requires each covered entity to conduct a periodic risk assessment of its information systems, sufficient to inform the design of the cybersecurity program. The assessment has to be documented and carried out in accordance with written policies and procedures. It is the input the rest of Part 500 assumes: the program (500.2), the policies (500.3), and controls such as access privileges and encryption are all required to be risk-based, which means based on this assessment.

What it must cover

The regulation requires the risk assessment to include criteria for the evaluation and categorization of identified cybersecurity risks, criteria for assessing the confidentiality, integrity, security, and availability of the entity's information systems and nonpublic information, and requirements describing how identified risks will be mitigated or accepted and how the program will address them.

How often it must update

The 2023 amendments to Part 500 sharpened the cadence. The risk assessment must be reviewed and updated at least annually, and whenever a change in the business or technology causes a material change to the entity's cyber risk. A risk assessment that predates a significant change in the environment is treated as out of date, and because the program is required to be based on it, a stale assessment undercuts the whole program.

How to conduct it

Step 1: Inventory information systems and nonpublic information

Identify the systems and the nonpublic information the entity holds, the foundation an asset-based assessment depends on.

Step 2: Identify and categorize risks

Apply the entity's criteria to identify cybersecurity threats and categorize them.

Step 3: Assess confidentiality, integrity, security, and availability

Evaluate the impact to each, consistent with 500.9.

Step 4: Decide mitigation or acceptance

For each risk, document how it will be mitigated or accepted and how the program addresses it.

Step 5: Document, then review at least annually

Record the assessment under written policies and review it at least annually and on any material change.

Where it goes wrong

The NYDFS risk assessment is the load-bearing requirement of Part 500. Keep it documented, current, and genuinely the basis of the program. For the wider regulation, see the NYDFS cybersecurity compliance guide and the NYDFS glossary.

Primary sources

Common questions

What does 23 NYCRR 500.9 require?
It requires each covered entity to conduct a documented periodic risk assessment of its information systems, sufficient to inform the design of the cybersecurity program. The assessment must include criteria for evaluating and categorizing risks, for assessing confidentiality, integrity, security, and availability, and for deciding how risks are mitigated or accepted.
How often must a NYDFS risk assessment be updated?
After the 2023 amendments to Part 500, the risk assessment must be reviewed and updated at least annually, and whenever a change in the business or technology materially affects the entity's cybersecurity risk.
What must the NYDFS risk assessment cover?
Criteria for identifying and categorizing cybersecurity risks, an assessment of the confidentiality, integrity, security, and availability of the entity's information systems and nonpublic information, and documented decisions on how each identified risk will be mitigated or accepted.
Why is the risk assessment central to Part 500?
Because the regulation requires the cybersecurity program, the policies, and many specific controls to be based on the risk assessment. A missing or stale assessment leaves a gap at the center of the program, not at its edge.
From the team behind this guide

A Part 500 risk assessment that holds up

Compliance Command Center builds and maintains the risk assessment Part 500 is constructed around: documented, current, and genuinely the basis of the program and its controls. Practitioners build it, with a human reviewing every deliverable, so it reads as adequate when DFS asks.

See Compliance Command Center Talk to a Practitioner