| 1 minute read

NYDFS Amendment to Cybersecurity Regulation

nys dfs seal

Avalon previously reported on proposed changes that may have a significant impact on the current 23 NYCRR Part 500 – Cybersecurity Requirements for Financial Services Companies (the Cybersecurity Regulation or Part 500) released by the New York State Department of Financial Services (NYSDFS). 

Part 500, a regulation establishing cybersecurity requirements for financial services companies, was declared by the Superintendent of Financial Services, and has been in place since March 2017.

Since adoption, the cybersecurity landscape has changed, and attacks have become more sophisticated and more expensive. There are many additional controls to help mitigate these threats that should be implemented by organizations to help protect themselves and, as such, on November 1, 2023, Part 500 was amended to help align with these changes and push for better security for financial services companies.

Please go to https://www.dfs.ny.gov/industry_guidance/cybersecurity for more information on the updates and related resources including available training sessions and implementation timelines for small businesses, Class A businesses, and covered entities.

Avalon can assist your organization with staying or becoming compliant through many of our services, including vCISO, vendor management, policy creation, and risk assessment.

Blog Articles

Employee Spotlight: Sofia Johnson

 

 

Every once in a while, we like to show off one of our hard-working, detail-oriented problem solvers. Take a moment to see who's in the spotlight today!

Mastering Basic Cybersecurity Hygiene for Long-Term Success

As a cybersecurity leader who’s seen too many breaches start with the simplest oversights, I often say: “You can’t build castles on a sand foundation.” In today’s landscape, where ransomware attacks are a daily occurrence for businesses large and small, basic cybersecurity hygiene isn’t optional; it’s your first line of defense – the basics that keep your organization resilient.

Analyzing September 2025’s Critical Zero-Day Vulnerabilities

September 2025 has been a powerful reminder that today’s greatest cyber risks often come from the software we rely on most. In just a few short weeks, organizations faced a wave of critical zero-day vulnerabilities across remote access gateways, communication apps, password managers, and even everyday utilities. These weren’t hypothetical risks – they were live, actively exploited threats.