What is 23 NYCRR 500?

  • The New York Department of Financial Services (NYDFS) implemented a new cybersecurity regulation (23 NYCRR 500) applicable to certain financial services companies.
  • New requirements affecting financial services companies operating in New York and authorized under the New York Banking Law, Insurance Law, and Financial Services Law.
  • Covered Entities must provide annual compliance certifications to state regulators.
  • Increased focus on third-party risk management as breaches increasingly attributed to third-parties and sub-contractors.

What is a Covered Entity?

Any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.

ecfirst is prepared to assist organizations move swiftly and urgently to establish a credible cybersecurity program that addresses 23 NYCRR 500 requirements.

Section23 NYCRR 500 Requirement
500.02Cybersecurity Program
500.03Cybersecurity Policy
500.04Chief Information Security Officer (CISO)
500.05Penetration Testing and Vulnerability Assessments
500.06Audit Trail
500.07Access Privileges
500.08Application Security
500.09Risk Assessment
500.10Cybersecurity Personnel and Intelligence
500.11Third Party Service Provider Security Policy
500.12Multi-Factor Authentication
500.13Limitations on Data Retention
500.14Training and Monitoring
500.15Encryption of Non-public Information
500.16Incident Response Plan

Who Does the Standard Apply to?

  • Insured Depository Instructions
  • Branches, Agencies or Offices of Non-US Banks
  • Mortgage Brokers
  • Insurance Companies
  • Trust Companies
  • Credit Unions
  • Check Cashiers/Money Transmitters

Cybersecurity Compliance | 23 NYCRR 500