What is 23 NYCRR 500?

  • The New York Department of Financial Services (NYDFS) implemented a new cybersecurity regulation (23 NYCRR 500) applicable to certain financial services companies.
  • New requirements affecting financial services companies operating in New York and authorized under the New York Banking Law, Insurance Law, and Financial Services Law.
  • Covered Entities must provide annual compliance certifications to state regulators.
  • Increased focus on third-party risk management as breaches increasingly attributed to third-parties and sub-contractors.

What is a Covered Entity?

Any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.

ecfirst is prepared to assist organizations move swiftly and urgently to establish a credible cybersecurity program that addresses 23 NYCRR 500 requirements.

Who Does the Standard Apply to?

  • Insured Depository Instructions
  • Branches, Agencies or Offices of Non-US Banks
  • Mortgage Brokers
  • Insurance Companies
  • Trust Companies
  • Credit Unions
  • Check Cashiers/Money Transmitters

Cybersecurity Compliance | 23 NYCRR 500

  In the News

Connect with ecfirst at the Defense TechConnect Innovation Summit, Washington, DC, November 28, 2023

  Events

Webinar—Beyond NIST, CMMC Certification: Fusion and Future, October 30, 2023

  Thought Leadership

Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP), HITRUST Certified CSF Practitioner (CCSFP) is the chief executive of ecfirst, an Inc. 500 business. He is a highly regarded information security and regulatory compliance expert.