Request Demo

NIST Cybersecurity Framework, Financial Services

New York's Financial Legislation 23 NYCRR 500: What Your Need to Know


What is 23 NYCRR 500 Compliance?

New York 23 NYCRR part 500 compliance can be a daunting lift, especially for those who haven't started to remediate, and even for those who have secured compliance but aren't sure how to continuously prove compliance easily without taking time, effort, and resources away from existing projects.

Governor Cuomo announced that their cyber reg was the "first in the nation" to protect both consumers and financial institutions. "The regulation requires banks, insurance companies, and other financial services institutions regulated by the State Department of Financial Services" to put into place a continuously manintained cybersecurity program. The program is supposed to be designed to protect consumers that each financial institution serves, and to secure the New York State’s financial services industry this year and beyond as cyber vulnerabilities evolve. This regulation includes everything from appointing a Chief Information Security Officer to implementing two or multi-factor authentication (2FA or MFA). In short, the reg is quite extensive.

According to the New York DFS, "This regulation requires each company to assess its specific risk profile and design a program that addresses its risks in a robust fashion. Senior management must take this issue seriously and be responsible for the organization’s cybersecurity program and file an annual certification confirming compliance with these regulations. A regulated entity’s cybersecurity program must ensure the safety and soundness of the institution and protect its customers."


Who Falls Under the Regulation?

According to the legislative document itself "Cybersecurity Requirements for Financial Services Companies", insurance brokers, agents, companies that are licensed in New York state are subject to the requirements of this regulation -- including non-residents. This means if a bank or entity has a location in New York that qualifies it also falls under 23 NYCRR 500 compliance. Covered entity means “any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.”


When is the Compliance Deadline?

The NY DFS made it clear that the NYCRR 500 regulation is a priority, "It is critical for all regulated institutions that have not yet done so to move swiftly and urgently to adopt a cybersecurity program and for all regulated entities to be subject to minimum standards with respect to their programs. The number of cyber events has been steadily increasing and estimates of potential risk to our financial services industry are stark. Adoption of the program outlined in these regulations is a priority for New York State." 

According to the New York State Department of Financial Services, "All regulated entities and licensed persons of the Department of Financial Services (DFS) were required to file a cybersecurity regulation Certification of Compliance under 23 NYCRR 500 by February 15, 2018 - seeing as it's the end of March now, you'll need something to ensure your complaince as soon as practical. Please be aware that if you hold more than one license, then you need to file a separate Certification of Compliance for each license you hold." On/before Feb. 15, 2018—the first annual certification of compliance will be due to the New York State Department of Financial Services. 


The NYC DFS Cyber Compliance Requirements include:

A cybersecurity policy based on the Covered Entity’s Risk Assessment, that addressess the areas below to the extent applicable to the Covered Entity’s (or Your Business's) operations:

(a) information security;
(b) data governance and classification;
(c) asset inventory and device management;
(d) access controls and identity management;
(e) business continuity and disaster recovery planning and resources; (f) systems operations and availability concerns;
(g) systems and network security;
(h) systems and network monitoring;
(i) systems and application development and quality assurance;

the list goes on....

(j) physical security and environmental controls;
(k) customer data privacy;
(l) vendor and Third Party Service Provider management; (m) risk assessment; and
(n) incident response. 

Organizations also must appoint a CISO, "Each Covered Entity shall designate a qualified individual responsible for overseeing and implementing the Covered Entity’s cybersecurity program and enforcing its cybersecurity policy (for purposes of this Part, “Chief Information Security Officer” or “CISO”). The CISO may be employed by the Covered Entity, one of its Affiliates or a Third Party Service Provider."

Application Security, Pen Testing, Audit Trail... it's likely that you have a lot of these cyber-related measures in place as a financial institution. However, some of these action items might be a lift for your organization, and avoiding misdirection on what the next cost-effective action is can be difficult to know for sure.


Get NYCRR 500 Compliant -- Secure Your Business and Protect Your Potential

We’ve talked to a lot of organizations facing the uphill battle of complying to this financial cybersecurity regulation. It’s clear that DFS Compliance is no small task, and if you’re wondering how to approach the 23 NYCRR 500 compliance, you’re likely not the only one amongst your peers. We’ve seen some organizations master it with the help of CyberStrong, and we’ve seen others struggle to figure out what the most cost-effective plan of action is for quick and thorough compliance. CyberStrong looks at the controls you must comply to and gives you a cost-impact weighted plan of action on how to get there. The clean and professional interface and reporting capabilities make proving compliance simple, and the Platform’s agile work flow allows teams, collaborators and even those outside of infosec to collaborate on controls, dramatically reducing the manual effort of surveying your organization for the information you need for the 23 NYCRR 500 assessment.

For more information, download the CyberStrong Platform Brochure or schedule a free 30-minute demo for a quick overview on how CyberStrong helps assess, implement and continuously prove 23 NYC 500 compliance for financial institutions.








You may also like

The Cybersecurity Skills Gap: The ...
on February 7, 2019

The cybersecurity skills gap is nothing new to the seasoned cyber professional. It has been widely discussed in cyber and information security circles for some time. The main flag ...

George Wrenn
The Post-Digitization CISO
on February 5, 2019

Information leaders in digital businesses, whether focusing on optimization or a full transformation, are inherently altering their position among the executive leadership. As ...

Integrated Risk Management and ...
on January 31, 2019

With technology permeating every aspect of a business, one begins to wonder what technology is reserved for digital risk management rather than the other facets of integrated risk ...

Department of Defense Launches ...
on January 29, 2019

The Defense Federal Acquisition Regulation Supplement (DFARS) mandate, specifically Clause 252.204-7012 requiring all members of the Department of Defense’s supply chain to comply ...

Digital Risk Management Frameworks
on January 24, 2019

As organizations continue to embrace digitization, security teams are faced with the challenge of keeping the enterprise secure while empowering growth and innovation. Many CISO’s ...

The Cybersecurity Impact Of The ...
on January 23, 2019

There has been a great deal of speculation around the cybersecurity posture of the nation in light of the most recent (and longest documented) government shutdown. I’ve seen two ...

George Wrenn