<img src="https://ws.zoominfo.com/pixel/4CagHYMZMRWAjWFEK36G" width="1" height="1" style="display: none;">
Request Demo

Following the Equifax breach and growing concerns about the posture of the financial industry, New York State Department of Financial Services (NYDFS) released the initial proposal for what would become 23 NYCRR 500. 23 NYCRR 500 is designed to foster and standardize cybersecurity across the financial services industry in New York.

Overview of 23 NYCRR 500

NYDFS, under its state law authority, released the initial documentation of the new cybersecurity regulations in fall of 2016. The regulation is “designed to promote the protection of customer information as well as the information technology systems of regulated entities…Senior management must take this issue seriously and be responsible for the organization’s cybersecurity program and file an annual certification confirming compliance with these regulations.”

The New York Department of Financial Services recognized that approaches to cybersecurity were too disjointed across a critical industry for many end customers and that the financial industry must lead the way in protecting customers data and dollars.

23 NYCRR 500 is slightly different from similar industry regulations, such as the DFARS mandate for DoD contractors, in that the requirements are not explicitly based on a standard framework. However, reviewing the requirements of what NYDFS defines as a suitable cybersecurity program patterns start to emerge:

(1) identify and assess internal and external cybersecurity risks that may threaten the security or integrity of Nonpublic Information stored on the Covered Entity’s Information Systems;

(2) use defensive infrastructure and the implementation of policies and procedures to protect the Covered Entity’s Information Systems, and the Nonpublic Information stored on those Information Systems, from unauthorized access, use or other malicious acts;

(3) detect Cybersecurity Events;

(4) respond to identified or detected Cybersecurity Events to mitigate any negative effects;

(5) recover from Cybersecurity Events and restore normal operations and services; and

(6) fulfill applicable regulatory reporting obligations.

That to us appears to be similar language found in the five functions of the NIST Cybersecurity Framework. Alongside a derivative of the CSF, 23 NYCRR 500 mandates documented policy standards for data management and security. Furthermore, compliance requires periodic risk assessments and penetration testing, as well as an extensive list of vendor risk management practices.

23 NYCRR 500 Rollout

The NYDFS regulation rollout has been gradual since it was officially implemented in 2017. Organizations that are required to comply had to be compliant by August 28, 2017. Since then organizations covered by the regulation have had to report periodically and deliver documentation on remediation efforts.

Why Now?

So if 23 NYCRR 500 has been in effect for over two years, why is it still making waves in the cybersecurity industry? Remember those extensive vendor risk management practices included in the regulation? They’re why.

March 1, 2019 marked two years since the law came into effect and that was the deadline for required organizations to implement the necessary vendor risk practices including:

  • The identification and risk assessment of third-party service providers
  • A minimum standard to be met by third-party service providers in order to do business with the covered entity
  • Due diligence processes used to evaluate the adequacy of third-party cybersecurity practices
  • Periodic risk assessment of third parties

This has been the the conclusion of the rollout for the regulation and it has caused many organizations to rethink how they approach their cybersecurity practices.

Miss the deadline for NYDFS 23 NYCRR500? Download our NYDFS Compliance Guide to get started.

You may also like

Cybersecurity in Supply Chain ...
on July 28, 2021

Supply chain networks have been driven by technology over the years and have evolved accordingly. However, the same technologies that make supply chains faster and more effective ...

Why It's Critical For the ...
on July 26, 2021

Reflecting on the past two years, it’s impossible to ignore the impact the healthcare industry has had on nearly every community worldwide. The surge of COVID-19 brought on a ...

What's at Stake When the ...
on July 19, 2021

Our 40-minute commute to work in the morning can feel like an insular event. Whether it’s by bus, train, ferry, or car - it can be hard to place this single event within the vast ...

What to Know Before Your Business ...
on July 16, 2021

There used to be a time when revolutionary technologies were exclusive only to large and cash-rich enterprises. But this has all changed with the advent of cloud computing ...

Why Food and Agriculture Need to ...
on July 13, 2021

Food is a ubiquitous part of the human experience. Cultures revolve around food; it’s the glue that brings families together at holidays, and it’s essential to survival. Humans ...

Kyndall Elliott
Why Now: How CyberSaint is Making ...
on July 9, 2021

Emerging technologies are shaping the future of every industry. Whether that’s through Artificial Intelligence and robotics transforming the way humans interact with the world, or ...

Kyndall Elliott