Get A Quote

Today, organizations face many data privacy challenges. According to the New York State Department of Financial Services (NYDFS), “the financial services industry is a significant target of cybersecurity threats”.

After a long history of cyber attacks, data breaches and data privacy challenges in the financial sector, the NYDFS issued the new 23 NYCRR 500 regulation to implement cybersecurity and data privacy requirements for all covered financial services companies.

Issued in March 2017, the main objective of 23 NYCRR 500 is to establish better protect consumer data privacy in the financial, banking and insurance industries across the United States.

In this first blog article about 23 NYCRR 500, we will outline some key points to help you get a better understanding of the impact of the recent law, including:

  1. What is the 23 NYCRR 500 regulation?
  2. How does the regulation work?
  3. What happened since the law came into force?


Disclaimer: This blog article was written for general information and does not claim to provide legal advice. To understand the full context of 23 NYCRR 500 for your organization, please consult with a privacy compliance and/or legal professional.


1.   What is the 23 NYCRR 500 Regulation?

On March 1, 2017, the State of New York issued a new cybersecurity regulation. This regulation (NYDFS Cybersecurity Regulation 23 NYCRR 500) covered a set of requirements to protect financial institutions more effectively.

This law includes 23 sections about the requirements for the implementation of an effective cybersecurity program. With this regulation, financial institutions must evaluate their risks in terms of cybersecurity to prevent data breaches.


2.   How Does the Regulation Work?

This new law of the State of New York also includes an implementation process with four distinct phases to make sure that your policies are reliable:

  1. Phase One: Implementing the Basics
  2. Phase Two: Establishing Reporting Procedures
  3. Phase Three: Developing a Cybersecurity Program
  4. Phase Four: Securing Third Parties

That said, the main goal of this regulation is to protect consumers and ensure security for their organization and their end consumers.

Therefore, 23 NYCRR 500 regulation imposes strict cybersecurity rules for covered organizations.

First, the organization need to designate a Chief Information Security Officer (CISO) to develop, implement and manage a cybersecurity plan. Also, the entity needs to promote a comprehensive cybersecurity policy. Then, it is important that the organization maintains an ongoing reporting system for cybersecurity.

Related Post: How to Succeed in Your First 100 Days as CISO


3.   What Happened Since the Law Came into Force?

Once the 23 NYCRR 500 regulation came into force on March 1, 2017, there have been several key milestones that are worth looking into.


August 28, 2017

Entities must comply with the law. This means that they needed to:

Related Posts:

February 15, 2018

Covered entities needed to submit their certification of compliance. In fact, the policy must cover these aspects:

March 1, 2018

Next, organizations were required to demonstrate that compliance is indeed maintained:

September 3, 2018

The covered institutions needed to have a comprehensive cybersecurity program in place. For that purpose, the institutions need to have these elements:

March 1, 2019

This is the final requirement milestone. Here, the covered entities needed to finalize their policies regarding any third party.

Organizations needed to have a policy for any third party that has access to the systems, including:


In Closing

If your entity is providing financial services in the United States, it is important to familiarize yourself with the requirements of the 23 NYCRR PART 500 – not only because it has fully entered into force since the spring of 2019.

Even if there are currently no details regarding fines for violations, financial services institutions are best advised to keep in mind that penalties will eventually be calculated Also, a solid cybersecurity and data privacy program has become an integral part for businesses to maintain operations, meet stringent compliance requirements, protect their reputation and be good citizens with their customers’ and consumers’ data.

In our next blog article, we will be talking about how 23 NYCRR 500 applies to organizations and provide an overview of best practices for successful implementation.


Meanwhile, if you’d like to learn more about data privacy obligations and how to report them effectively, watch our webinar “Reporting Data Privacy Obligations to the Board: A Practical Approach to Ongoing Compliance” that we co-hosted with our partner Nymity: