What is 23 NYCRR 500?
- The New York Department of Financial Services (NYDFS) implemented a new cybersecurity regulation (23 NYCRR 500) applicable to certain financial services companies.
- New requirements affecting financial services companies operating in New York and authorized under the New York Banking Law, Insurance Law, and Financial Services Law.
- Covered Entities must provide annual compliance certifications to state regulators.
- Increased focus on third-party risk management as breaches increasingly attributed to third-parties and sub-contractors.
What is a Covered Entity?
Any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.
ecfirst is prepared to assist organizations move swiftly and urgently to establish a credible cybersecurity program that addresses 23 NYCRR 500 requirements.
| Section | 23 NYCRR 500 Requirement |
|---|---|
| 500.02 | Cybersecurity Program |
| 500.03 | Cybersecurity Policy |
| 500.04 | Chief Information Security Officer (CISO) |
| 500.05 | Penetration Testing and Vulnerability Assessments |
| 500.06 | Audit Trail |
| 500.07 | Access Privileges |
| 500.08 | Application Security |
| 500.09 | Risk Assessment |
| 500.10 | Cybersecurity Personnel and Intelligence |
| 500.11 | Third Party Service Provider Security Policy |
| 500.12 | Multi-Factor Authentication |
| 500.13 | Limitations on Data Retention |
| 500.14 | Training and Monitoring |
| 500.15 | Encryption of Non-public Information |
| 500.16 | Incident Response Plan |
Who Does the Standard Apply to?
- Insured Depository Instructions
- Branches, Agencies or Offices of Non-US Banks
- Mortgage Brokers
- Insurance Companies
- Trust Companies
- Credit Unions
- Check Cashiers/Money Transmitters
Cybersecurity Compliance | 23 NYCRR 500
