New York Department of Financial Services

23 NYCRR 500 Compliance

23 NYCRR 500 took effect on March 1, 2017. This state regulation, the first of its kind, requires New York banks, financial services companies and insurance companies, including non-New York insurance companies who do business in New York, to perform a Cybersecurity Risk Assessment and to create and maintain a Cybersecurity Program based on the Risk Assessment. Security Compliance Associates have partnered with financial services companies for more than 12 years helping them identify, reduce and manage technology risk. Several other states and regulatory bodies are considering similar legislation and we feel this trend will continue to become a standard state sponsored initiative. Our 23 NYCRR 500 compliance services include:

Cybersecurity Policies and Procedures (Sections 500.03)

Your existing Cybersecurity Policies, Procedures and Employee Use Guidelines are evaluated for completion against industry best practices and the 14 areas defined in 23 NYCRR 500. Areas of strength are identified along with gaps which need inclusion or improvement. SCA will then revise or re-write your Cybersecurity Policies, Procedures and Employee Use Guidelines to satisfy regulatory requirements and align with your organization’s size, complexity and culture.

Cybersecurity Risk Assessment (Section 500.09)

Following an established and widely recognized framework, the Cybersecurity Risk Assessment identifies current vulnerabilities, threat sources and discusses planned and recommended countermeasures to mitigate those risks. Information contained in the Cyber Security Risk Assessment will assist management in making informed decisions regarding your cybersecurity posture including actions and controls to meet the elements of 23 NYCRR 500.

Cybersecurity Program Review and Penetration Test (Sections 500.02, 500.05)

The Cybersecurity Program Review measures your organization against the 14 areas required by 23 NYCRR 500 and industry best practices. Gaps are assigned a criticality rating along with corrective advice to assist management in planning and executing timely remediation. The executive summary report is ideal for the CISO to submit to the Board or equivalent governing body to fulfill annual reporting requirements (Section 500.04 (b)).

Both internal and external penetration tests are performed to subject systems to real-world attempts to gain system access and/or escalate access privileges. SCA will attempt to exploit identified vulnerabilities and configuration errors to gain unauthorized system access. Various techniques will be used including, but not limited to, manual techniques and automated tools.

To meet the requirement for bi-annual vulnerability assessments, the first internal and external vulnerability assessments are performed as part of the internal and external penetration tests. Approximately 6 months later, the second internal and external vulnerability assessments are performed.

The outcomes of the Cybersecurity Program Review and Penetration Test are establishing a baseline cybersecurity posture, and creating a roadmap to improve your cybersecurity posture and meet requirements of 23 NYCRR 500.

Third Party Security: Risk Assessment and Due-Diligence (Section 500.11)

Following the Third-Party Security Policy, SCA will perform a risk assessment and due-diligence of third parties that evaluates the adequacy of their cybersecurity practices. SCA reviews whether the third -party’s business processes include appropriate physical, administrative and technical safeguards to protect non-public information against unauthorized access or use. Additionally, we review the controls the third party has to ensure any sub-contractor it uses employs appropriate security measures.

Employee Cybersecurity Awareness Training (Section 500.14(b))

Employee Cybersecurity Awareness Training is delivered through our web-based presentation. Training sessions are available on-demand making this format ideal for on-boarding new employees and for annual employee Cybersecurity Awareness Training. Training is a key element for creating awareness and understanding of your Cybersecurity policy and procedures.

Incident Response Program (Section 500.16)

Your existing Incident Response Plan is evaluated for completion against industry best practices and the 7 areas defined in 23 NYCRR 500. Areas of strength are identified along with gaps which need inclusion or improvement. SCA will then revise or re-write your Incident Response Plan to satisfy regulatory requirements and to align with your organization’s size, complexity and culture.

If your company provides health insurance, these services can be expanded to also cover HIPAA Security Rule requirements.

To learn more, call 727-571-1141 or click the “Request More Information Now” button above to the right.