What is 23 NYCRR 500?

  • The New York Department of Financial Services (NYDFS) implemented a new cybersecurity regulation (23 NYCRR 500) applicable to certain financial services companies.
  • New requirements affecting financial services companies operating in New York and authorized under the New York Banking Law, Insurance Law, and Financial Services Law.
  • Covered Entities must provide annual compliance certifications to state regulators.
  • Increased focus on third-party risk management as breaches increasingly attributed to third-parties and sub-contractors.

What is a Covered Entity?

Any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.

ecfirst is prepared to assist organizations move swiftly and urgently to establish a credible cybersecurity program that addresses 23 NYCRR 500 requirements.

Who Does the Standard Apply to?

  • Insured Depository Instructions
  • Branches, Agencies or Offices of Non-US Banks
  • Mortgage Brokers
  • Insurance Companies
  • Trust Companies
  • Credit Unions
  • Check Cashiers/Money Transmitters

Cybersecurity Compliance | 23 NYCRR 500

  In the News

Alaska HCCA Conference Features Pabrai Brief on HITRUST: A Global Certification Standard


Certified Cyber Security Architect℠ (CCSA℠) Confirmed with InfraGard (FBI), September 21 - 22, 2022

  Thought Leadership

Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP), HITRUST Certified CSF Practitioner (CCSFP) is the chief executive of ecfirst, an Inc. 500 business. He is a highly regarded information security and regulatory compliance expert.