Get A Quote
Written by Hitachi Systems Security on 30 April 2019

NYDFS Cybersecurity Regulation: What is 23 NYCRR 500?

Today, organizations face many data privacy challenges. According to the New York State Department of Financial Services (NYDFS), “the financial services industry is a significant target of cybersecurity threats”.

After a long history of cyber attacks, data breaches and data privacy challenges in the financial sector, the NYDFS issued the new 23 NYCRR 500 regulation to implement cybersecurity and data privacy requirements for all covered financial services companies.

Issued in March 2017, the main objective of 23 NYCRR 500 is to establish better protect consumer data privacy in the financial, banking and insurance industries across the United States.

In this first blog article about 23 NYCRR 500, we will outline some key points to help you get a better understanding of the impact of the recent law, including:

  1. What is the 23 NYCRR 500 regulation?
  2. How does the regulation work?
  3. What happened since the law came into force?


Disclaimer: This blog article was written for general information and does not claim to provide legal advice. To understand the full context of 23 NYCRR 500 for your organization, please consult with a privacy compliance and/or legal professional.


1.   What is the 23 NYCRR 500 Regulation?

On March 1, 2017, the State of New York issued a new cybersecurity regulation. This regulation (NYDFS Cybersecurity Regulation 23 NYCRR 500) covered a set of requirements to protect financial institutions more effectively.

This law includes 23 sections about the requirements for the implementation of an effective cybersecurity program. With this regulation, financial institutions must evaluate their risks in terms of cybersecurity to prevent data breaches.


2.   How Does the Regulation Work?

This new law of the State of New York also includes an implementation process with four distinct phases to make sure that your policies are reliable:

  1. Phase One: Implementing the Basics
  2. Phase Two: Establishing Reporting Procedures
  3. Phase Three: Developing a Cybersecurity Program
  4. Phase Four: Securing Third Parties

That said, the main goal of this regulation is to protect consumers and ensure security for their organization and their end consumers.

Therefore, 23 NYCRR 500 regulation imposes strict cybersecurity rules for covered organizations.

First, the organization need to designate a Chief Information Security Officer (CISO) to develop, implement and manage a cybersecurity plan. Also, the entity needs to promote a comprehensive cybersecurity policy. Then, it is important that the organization maintains an ongoing reporting system for cybersecurity.

Related Post: How to Succeed in Your First 100 Days as CISO


3.   What Happened Since the Law Came into Force?

Once the 23 NYCRR 500 regulation came into force on March 1, 2017, there have been several key milestones that are worth looking into.


August 28, 2017

Entities must comply with the law. This means that they needed to:

  • Establish an effective cybersecurity program
  • Create and maintain a written cybersecurity policy
  • Designate a chief information security officer (CISO)
  • Hire qualified cybersecurity personnel or utilize third-party providers
  • Establish an incident response plan (IRP)
  • Submit notification of incidents to the NYDFS (within 72 hours)

Related Posts:

February 15, 2018

Covered entities needed to submit their certification of compliance. In fact, the policy must cover these aspects:

  • Information security
  • Access controls
  • Disaster recovery planning
  • Systems and network security
  • Customer data privacy
  • Regular risk assessments

March 1, 2018

Next, organizations were required to demonstrate that compliance is indeed maintained:

  • The CISO must file cybersecurity report
  • The organization must conduct regular penetration testing and vulnerability management exercises
  • Conduct bi-annual risk assessments

Related Posts:

September 3, 2018

The covered institutions needed to have a comprehensive cybersecurity program in place. For that purpose, the institutions need to have these elements:

  • An audit trail that reflects threat detection and response activities
  • Written documentation of procedures, standards, and guidelines for in-house applications as well as procedures for evaluating third-party applications
  • Detailed data retention policy documentation, including how non-public personal information is disposed
  • Encryption and other robust security control measures

March 1, 2019

This is the final requirement milestone. Here, the covered entities needed to finalize their policies regarding any third party.

Organizations needed to have a policy for any third party that has access to the systems, including:

  • Risk assessment of third-party service providers
  • The covered financial institution’s security requirements of third-party service providers that must be met in order to conduct business with that entity
  • Processes for evaluating the effectiveness of a third-party service provider’s security practices
  • Periodic assessments of third-party policies and controls


In Closing

If your entity is providing financial services in the United States, it is important to familiarize yourself with the requirements of the 23 NYCRR PART 500 – not only because it has fully entered into force since the spring of 2019.

Even if there are currently no details regarding fines for violations, financial services institutions are best advised to keep in mind that penalties will eventually be calculated Also, a solid cybersecurity and data privacy program has become an integral part for businesses to maintain operations, meet stringent compliance requirements, protect their reputation and be good citizens with their customers’ and consumers’ data.

In our next blog article, we will be talking about how 23 NYCRR 500 applies to organizations and provide an overview of best practices for successful implementation.


Meanwhile, if you’d like to learn more about data privacy obligations and how to report them effectively, watch our webinar “Reporting Data Privacy Obligations to the Board: A Practical Approach to Ongoing Compliance” that we co-hosted with our partner Nymity:

Related Posts

Don't Wait.
Get a quote today.

Toll Free 1 866-430-8166Free Quote
Secure Your Organization Today.