What is 23 NYCRR 500?

  • The New York Department of Financial Services (NYDFS) implemented a new cybersecurity regulation (23 NYCRR 500) applicable to certain financial services companies.
  • New requirements affecting financial services companies operating in New York and authorized under the New York Banking Law, Insurance Law, and Financial Services Law.
  • Covered Entities must provide annual compliance certifications to state regulators.
  • Increased focus on third-party risk management as breaches increasingly attributed to third-parties and sub-contractors.

What is a Covered Entity?

Any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.

ecfirst is prepared to assist organizations move swiftly and urgently to establish a credible cybersecurity program that addresses 23 NYCRR 500 requirements.

Who Does the Standard Apply to?

  • Insured Depository Instructions
  • Branches, Agencies or Offices of Non-US Banks
  • Mortgage Brokers
  • Insurance Companies
  • Trust Companies
  • Credit Unions
  • Check Cashiers/Money Transmitters

Cybersecurity Compliance | 23 NYCRR 500

  In the News

Performed an Online Tracking Assessment? OCR Mandate for HIPAA Compliance, Webinar, April 24, 2024


CMMC DAY, May 6, 2024

  Thought Leadership

Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP), HITRUST Certified CSF Practitioner (CCSFP) is the chief executive of ecfirst, an Inc. 500 business. He is a highly regarded information security and regulatory compliance expert.

Online Store Request a Proposal