<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1977396509252409&amp;ev=PageView&amp;noscript=1">

SUITE OF SERVICES services menu


NYDFS Cybersecurity Regulation

NYCRR 500 Assessment & Attestation, SOC for Cybersecurity, SOC 2 + Additional Criteria


About NY DFS and NYCRR

On March 1, 2017, the Superintendent of Financial Services for the State of New York promulgated 23 NYCRR Part 500, a regulation establishing cybersecurity requirements for financial services companies.  In addition to New York domiciled companies, this regulation also applies to financial services companies that are licensed to do business in the State of New York and have at least $5M in revenue in New York. Within the regulation, the New York State Department of Financial Services (“DFS”) recognizes the ever-growing threat posed to information and financial systems by Cybercriminals and the risk of significant financial loss for DFS regulated entities as well as for New York consumers whose private information may be revealed and/or stolen for illicit purposes.

Cybersecurity and The Regulations That Come with It

As the leading top 100 CPA firm in the cybersecurity space, Schellman can perform the following services:

23 NYCRR Part 500

23 NYCRR Part 500 Readiness Assessment & Attestation

23 NYCRR Part 500 Readiness Assessment tests control activities aligned with the standard and provide a management only report with identified gaps and areas of potential non-compliance.

23 NYCRR Part 500 Attestation ia a compliance attestation under the umbrella of SSAE 18 standards that opines on managements assertion of control activities intended to meet the 23 NYCRR requirements. This examination can yield a Type 1 (point-in-time) or Type 2 (period of time) report.

SOC for Cybersecurity Report

Under the new AICPA SOC for Cybersecurity program, a SOC for Cybersecurity examination reports on the entities underlying cybersecurity program and can be based on a variety of supporting standards and frameworks from the NIST CyberSecurity Framework (CSF) to ISO 27001 or the AICPA Trust Services Criteria.  As such, the NYDFS regulations could be used as such subject matter to issue a SOC for Cybersecurity Report.

SOC for Cyber
SOC 2 + Additional Criteria

SOC 2 + Additional Criteria

SOC 2 reports have always had the ability to add incremental criteria and/or subject matter on top of the requisite Trust Services Criteria. With this, a SOC 2 report could also be supplemented with the 23 NYCRR Part 500 requirements.