<img src="https://ws.zoominfo.com/pixel/4CagHYMZMRWAjWFEK36G" width="1" height="1" style="display: none;">
Request Demo

Following the Equifax breach and growing concerns about the posture of the financial industry, New York State Department of Financial Services (NYDFS) released the initial proposal for what would become 23 NYCRR 500. 23 NYCRR 500 is designed to foster and standardize cybersecurity across the financial services industry in New York.

Overview of 23 NYCRR 500

NYDFS, under its state law authority, released the initial documentation of the new cybersecurity regulations in fall of 2016. The regulation is “designed to promote the protection of customer information as well as the information technology systems of regulated entities…Senior management must take this issue seriously and be responsible for the organization’s cybersecurity program and file an annual certification confirming compliance with these regulations.”

The New York Department of Financial Services recognized that approaches to cybersecurity were too disjointed across a critical industry for many end customers and that the financial industry must lead the way in protecting customers data and dollars.

23 NYCRR 500 is slightly different from similar industry regulations, such as the DFARS mandate for DoD contractors, in that the requirements are not explicitly based on a standard framework. However, reviewing the requirements of what NYDFS defines as a suitable cybersecurity program patterns start to emerge:

(1) identify and assess internal and external cybersecurity risks that may threaten the security or integrity of Nonpublic Information stored on the Covered Entity’s Information Systems;

(2) use defensive infrastructure and the implementation of policies and procedures to protect the Covered Entity’s Information Systems, and the Nonpublic Information stored on those Information Systems, from unauthorized access, use or other malicious acts;

(3) detect Cybersecurity Events;

(4) respond to identified or detected Cybersecurity Events to mitigate any negative effects;

(5) recover from Cybersecurity Events and restore normal operations and services; and

(6) fulfill applicable regulatory reporting obligations.

That to us appears to be similar language found in the five functions of the NIST Cybersecurity Framework. Alongside a derivative of the CSF, 23 NYCRR 500 mandates documented policy standards for data management and security. Furthermore, compliance requires periodic risk assessments and penetration testing, as well as an extensive list of vendor risk management practices.

23 NYCRR 500 Rollout

The NYDFS regulation rollout has been gradual since it was officially implemented in 2017. Organizations that are required to comply had to be compliant by August 28, 2017. Since then organizations covered by the regulation have had to report periodically and deliver documentation on remediation efforts.

Why Now?

So if 23 NYCRR 500 has been in effect for over two years, why is it still making waves in the cybersecurity industry? Remember those extensive vendor risk management practices included in the regulation? They’re why.

March 1, 2019 marked two years since the law came into effect and that was the deadline for required organizations to implement the necessary vendor risk practices including:

  • The identification and risk assessment of third-party service providers
  • A minimum standard to be met by third-party service providers in order to do business with the covered entity
  • Due diligence processes used to evaluate the adequacy of third-party cybersecurity practices
  • Periodic risk assessment of third parties

This has been the the conclusion of the rollout for the regulation and it has caused many organizations to rethink how they approach their cybersecurity practices.

Miss the deadline for NYDFS 23 NYCRR500? Download our NYDFS Compliance Guide to get started.

You may also like

Modern-Day Cybersecurity ...
on October 22, 2021

A CISO is responsible for many things in an enterprise. They are in charge of establishing security and governance practices, identifying security objectives, enabling a framework ...

Aligning Security and Privacy ...
on October 8, 2021

For too long, companies have made the mistake of separating privacy and security regulation. This has led to numerous security gaps that cybercriminals have exploited and ...

New Gartner Report Identifies ...
on September 15, 2021

With a variety of risks growing out of the pandemic, cybersecurity control failures was listed as the top executive concern during Q1 2021. According to the Gartner Emerging Risks ...

Why IOT in the Commercial ...
on September 14, 2021

Every month there seems to be a new device that changes the way we travel, communicate, conduct business, and live our personal lives. The transformation promises efficiency and ...

Why the Chemical Sector is ...
on September 1, 2021

The chemical sector encompasses more than 70,000 diverse products that are critical to the modern global infrastructure. Several thousand chemical facilities ship, manufacture, ...

Kyndall Elliott
What Does the Future of Risk ...
on August 31, 2021

Cyber risk is the top concern for water and wastewater systems. With government intelligence confirming cyber attacks staged by Russia and Iran, utilities need strong risk ...