What is 23 NYCRR 500?

The Big Picture

The NYDFS Cybersecurity Regulation, 23 NYCRR 500, requires New York banks, financial services companies and insurance companies, including non-New York insurance companies who do business in New York, to perform a Cybersecurity Risk Assessment and to create and maintain a Cybersecurity Program based on the Risk Assessment. This risk-based approach is designed to protect the confidentiality, integrity, and availability of information systems, ultimately protecting consumers and the New York State financial services industry.

Taking a Closer Look – Who is Covered?

The NYDFS Cybersecurity Regulation applies to any business regulated by the NYDFS under the Banking Law, Insurance Law or Financial Services Law. These “covered entities” include:

  • State-chartered banks
  • Licensed Lenders
  • Private bankers
  • Service contract providers
  • Trust companies
  • Mortgage companies
  • Foreign banks licensed to operate in New York
  • Insurance companies doing business in New York

Organizations which have limited exemption from the regulation include those with:

  • Less than 10 employees
  • Less than $5 million in gross annual revenue for each of the last three years from NY business operations, OR
  • Less than $10 million in year-end total assets

Taking a Closer Look – What is Required?

The NYDFS Cybersecurity Regulation requires the above-covered entities to create and maintain a Cybersecurity Program based on their Cybersecurity Risk Assessment. The Cybersecurity Program should perform the following functions:

  1. Identify and assess internal and external Cybersecurity risks
  2. Use defensive infrastructure and the implementation of policies and procedures to protect the Covered Entity’s Information Systems
  3. Detect Cybersecurity Events
  4. Respond to identified or detected Cybersecurity Events to mitigate any negative effects
  5. Recover from Cybersecurity Events and restore normal operations and services
  6. Fulfill applicable regulatory reporting obligations

Taking a Closer Look – How do Businesses Reach Compliance?

The timetable to become compliant began when 23 NYCRR 500 took effect on March 1, 2017. There are several milestone dates and transitional periods through the compliance process. These milestone dates and expectations are below:

August 28, 2017 – 180-day transitional period ends. Covered entities are required to be in compliance with certain parts of the regulation, unless otherwise noted, namely sections:

500.02 – Establish and maintain a Cybersecurity Program

500.03 – Implement and maintain written cybersecurity policies and procedures

500.04(a) – Designate a Chief Information Security Officer (CISO)

500.16 – Establish a written incident response plan

February 15, 2018 – Covered entities are required to submit the first annual certification to the NYDFS superintendent’s office:

500.17(b) – Annual written statement covering prior year certifying compliance with NYDFS Cybersecurity Regulation

March 1, 2018 – One-year transitional period ends. Covered entities are required to be in compliance with these sections:

500.04(b) – Annual CISO cybersecurity report to Board of Directors or equivalent governing body

500.05 – Annual penetration testing and bi-annual vulnerability assessments

500.09 – Conduct a Cybersecurity Risk Assessment

500.12 – Implement Multi-Factor Authentication or Risk-Based Authentication

500.14(b) –  Training: Provide employee cybersecurity awareness training

September 3, 2018 – Eighteen-month transitional period ends. Covered entities are required to be in compliance with these sections:

500.06 – Have ability to reconstruct material financial transactions and audit trails to detect and respond to Cybersecurity Events.

500.08 – Implement application security procedures, guidelines and standards for both in-house and externally developed applications

500.13 – Implement data retention policies and procedures

500.14(a) – Implement policies, procedures and controls to monitor activity of authorized users and detect unauthorized access, use   or tampering with nonpublic information

500.15 – Encrypt nonpublic information in transit over external networks and at rest

March 1, 2019 – Two-year transitional period ends. Covered Entities are required to be in compliance with 23 NYCRR 500.

Moving forward, per Section 500.17, covered entities are required to notify the NYDFS Superintendent within 72 hours of a Cybersecurity Event. In addition, an annual written statement covering the prior year certifying compliance with 23 NYCRR 500 will be submitted to the Superintendent.

Meeting the requirements of 23 NYCRR 500 can be a daunting process. With proper planning and use of available resources such as an experienced, reputable cybersecurity partner, compliance and robust cybersecurity become easily within reach. To learn how SCA can help, click here.