What is 23 NYCRR 500?

  • The New York Department of Financial Services (NYDFS) implemented a new cybersecurity regulation (23 NYCRR 500) applicable to certain financial services companies.
  • New requirements affecting financial services companies operating in New York and authorized under the New York Banking Law, Insurance Law, and Financial Services Law.
  • Covered Entities must provide annual compliance certifications to state regulators.
  • Increased focus on third-party risk management as breaches increasingly attributed to third-parties and sub-contractors.

What is a Covered Entity?

Private Onsite Cybersecurity Program

Any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.

ecfirst is prepared to assist organizations move swiftly and urgently establish a credible cybersecurity program that addresses 23 NYCRR 500 requirements.

Who Does the Standard Apply to?

  • Insured Depository Instructions
  • Branches, Agencies or Offices of Non-US Banks
  • Mortgage Brokers
  • Insurance Companies
  • Trust Companies
  • Credit Unions
  • Check Cashiers/Money Transmitters

Cybersecurity Compliance | 23 NYCRR 500

In the News

Medical IoT Cybersecurity Solution: ecfirst Partners with Culinda!


GRC Conference (IIA + ISACA) Features Pabrai Brief, Asymmetric Attacks Mandate Credible Cybersecurity Program

Thought Leadership

Ali Pabrai, MSEE, CISSP (ISSAP, ISSMP), HITRUST Certified CSF Practitioner (CCSFP) is the chief executive of ecfirst, an Inc. 500 business. He is a highly regarded information security and regulatory compliance expert.