NYCRR Cybersecurity Risk Assessment COVID 19

Avoid NYCRR Infractions

Guide eBook Cover 23 NYCRR 500

In 2017, the New York State Department of Financial Services (NYDFS) launched GDPR-like cybersecurity regulations for its massive financial industry. This new regulation lays-out reporting requirements in the event of a data-breach and limitations regarding retaining data. 

23 NYCRR 500 issues uniformed guidelines on a number of measures to undertake for enhanced data protection. Some of the requirements include regular risk assessment, documenting and enforcing cybersecurity policies, designate a full-time or part-time Chief Information Security Officer (CISO), conduct periodic tests, and more. 


Are You In Compliance with 23 NYCRR Part 500?

 New York’s Cybersecurity Regulation (23 NYCRR Part 500)


The NYCRR primarily contains state agency rules and regulations adopted under the State Administrative Procedure Act (SAPA). The 23 Titles include one for each state department, one for miscellaneous agencies and one for the Judiciary. The Office of Court Administration and the Judiciary are exempt from SAPA requirements.

The NYDFS Cybersecurity Regulation (23 NYCRR 500) is “designed to promote the protection of customer information as well as the information technology systems of regulated entities”.

What is the NYCRR Cybersecurity Regulation?

Cyber criminals have been hyper-active over the last few years in targeting multiple different industries with malware, ransomware, phishing, and other cyberattacks. The financial institutions across the globe have been badly affected by the surge in such attacks. New York has been at the epicenter of many such cyberattacks which has results in huge financial losses, severe damage in reputation, and in some cases even bankruptcy. In response to this ever-growing cybersecurity threat environment, the NYDFS issued the final Cybersecurity Regulation (23 NYCRR Part 500) to standardize security measures across covered entities. The objective is to have proper security policies and procedures in place to better protect client data against breach and to encourage higher standards security across the board.

23 NYCRR 500 Timeline: The regulation went into effect on March 1, 2017, with implementation to occur within 180 days (August 28, 2017); it affects entities regulated by the New York Department of Financial Services (DFS).

NYDFS – 23 NYCRR 50023 NYCRR Part 500 CompCiti Table 2

The requirements outlined by this new regulation include:

  • Appoint Chief Information Security Officer (CISO)
  • Establish a cybersecurity program
  • Implement and maintain a written cybersecurity policy
  • Annual penetration tests and Bi-annual vulnerability assessments
  • Evaluate, assess, and test security of in-house and external technology applications
  • Conduct a periodic risk assessment
  • Ensure cybersecurity personnel are properly trained and qualified
  • Establish policies and procedures to protect nonpublic information held by third party service providers
  • Implement multi-factor or risk-based authentication
  • Ensure secure disposal on a periodic basis of any nonpublic information
  • Monitor and train all firm personnel
  • Encryption of nonpublic information
  • Establish a written incident response plan
  • Notify the superintendent regarding any cybersecurity event within 72 hours

Who Is Affected?

The NYDFS Cybersecurity Regulation covers any organization operating in the state of New York under authorization of the Banking Law, the Insurance Law, or the Financial Services law.

This includes:

23 NYCRR Part 500 CompCiti 1

  • Licensed lenders
  • State-chartered banks
  • Trust companies
  • Service contract providers
  • Private bankers
  • Mortgage companies
  • Insurance companies doing business in New York
  • Non-U.S. banks licensed to operate in New York

Certain entities that do not handle classes of nonpublic information are also exempt from certain provisions. 23 NYCRR 500.19(c) and (d).

If an entity qualifies for one of the exemptions, it must file a Notice of Exemption within 30 days of the determination of the exemptions 23 NYCRR 500.19(e).

What Are the NYDFS Regulation Requirements?

The NYDFS Cybersecurity Regulation (23 NYCRR 500) contains a new set of rules that emphasizes all cybersecurity requirements for all financial organizations.

The regulation is outlined to market the protection of client information in addition to information technology systems of regulated entities”. A checklist of all NYDFS Cyber Security requirements is described as follows:

Section 500.02 – Cybersecurity Program

  • To setup a cybersecurity program supported on periodic risk assessments denoting identity and to determine the risks.
  • To successfully protect systems and private information
  • To search, respond to, and retrieve cyber occurrences and follow all reporting requirements.

Section 500.03 – Cybersecurity Policies

  • To develop and enforce written policies and procedures that protect firm’s structure and confidential information established on the risk assessment of the company.

Section 500.04 – Chief Information Security Officer

  • To appoint a CISO who can be responsible for and execute cybersecurity program. This CISO can be appointed as an affiliate, a regulated entity, or a third-party service provider.

Section 500.05 – Penetration Testing and Vulnerability Management

  • To provide continuous penetration testing that will give your organization a practical overview on how offenders exploit IT weaknesses and methods on preventing them.
  • To ensure that your engineers receive instructions on the latest security methods and that they understand this widespread dilemma.

Section 500.06 – Audit Trail

  • To maintain systems which are designed to reorganize financial transactions following a security breach and audit trails
  • To become aware or detect of and respond to all cybersecurity occurrences

Section 500.07 – Access Privileges

  • To limit all access privileges to PII and review recurrently those privileges.

Section 500.08 – Application Security

  • To ensure that security best practices and procedures for internally developed applications are mandatory as well as the periodic evaluating, assessing and security testing of developed applications.

Section 500.09 – Risk Assessments

  • To conduct bi-annual, documented risk assessments regarding threats and examine the updated controls for relevant risk.

Section 500.10 – Cybersecurity Personnel and Intelligence

  • To ensure that qualified cybersecurity personnel or an Affiliate or a third-party service provider has sufficient time to manage your organization’s risks.
  • To supervise or perform the execution of required cybersecurity functions.

Section 500.12 – Multi-Factor Authentication

  • To protect unauthorized access to confidential information, multi-factor authentication

Section 500.13 – Data Retention Limitations

  • To ensure that each covered entity is required to possess the policies and procedures in securing specific categories of confidential information.

Section 500.14 – Training and Observation

  • To ensure that covered operations are required to execute risk-based policies for monitoring the authorized user’s activity and detecting unauthorized access or use of confidential information.
  • To ensure that periodical cybersecurity coaching is required for all personnel

Section 500.15 – Encryption of Confidential Information

  • To ensure that all covered operations put into effect the required encryption coding which are based on the required risk assessment (Section 500.09), for the protection of confidential information that may be detained or transmitted over external networks.
  • To ensure that such controls be reviewed and approved by the mandated Cisco personnel on an annual basis is mandatory

Section 500.16 – Incident Response Plan

  • To ensure that written incident response plan be initiated for responding to and recovering from a cybersecurity incident.

Section 500.17 – Superintendent Notification

  • To ensure that the NYFS be notified within 72 hours when a cybersecurity incident is detected.


Checklist for 23 NYCRR Part 50023 NYCRR Part 500 CompCiti CHECKLIST C

  • Develop and maintain a robust cybersecurity program
  • Implement a comprehensive cybersecurity
  • Designate a Chief Information Security Officer (CISO)
  • Monitor and test the effectiveness of its cybersecurity program
  • Maintain an audit trail
  • Limit access to information systems that contain nonpublic information.
  • Assess and test security of third-party based applications
  • Conduct periodic tests and document results to ensure consistency in data protection
  • Recruit or hire cybersecurity experts to consult and manage cybersecurity risks 
  • Document and enforce data retention and deletion policies and procedures
  • Detect any unauthorized access and document it
  • Develop a cybersecurity training program for employees
  • Develop cybersecurity incidence reporting plans 


How  CompCiti  Can  Help?23 NYCRR Part 500 CompCiti Table

According to the new cyber security NYDFS regulations, it is mandatory for all covered entities to implement and file the regulations by August 28th, 2017. Those who are not compliant by this deadline will be penalized. The Compliance Experts at CompCiti will not only ensure that you are compliant, but will help you to implement a more effective, long-term cyber security protocol in the process.

CompCiti provides its clients with CISA-certified IT auditing services. We offer a range of services from IT auditing to helping you address any cybersecurity issues identified during the audit. CompCiti can also act as your Chief Information Security Officer (CISO), taking care of all the details to ensure compliance.

An IT audit is similar to a financial audit in that it helps ensure your company is following best cybersecurity practices. An IT audit includes a Risk Assessment for cyber threats (as required by 23 NYCRR Part 500), but it also is designed to find holes in your cybersecurity, review software update policies, and more to ensure your client data is secure. Most importantly, a comprehensive IT audit gives you the full picture of your current cybersecurity preparedness, allowing you to develop a more effective Cybersecurity Program and Cybersecurity Policy than you could with a Risk Assessment alone.

Contact CompCiti today for a free needs assessment. We’ll explain to you what you need to meet full DFS compliance and how we can help you every step of the way.

23 NYCRR Part 500 CompCiti 3


NYDFS Cybersecurity FAQs

1. Do you have to report all cybersecurity events within 72-hours to NYDFS?

You must report events that have a “reasonable likelihood of materially harming any material part” of the company’s IT infrastructure.

2. How frequently do you have to conduct risk assessments?

Covered entities are required to conduct assessment at least once a year. However, it is recommended to conduct “periodic” assessments to ensure safeguard. 

3. How much documentation is required beyond developing security policies?

The purpose of this entire exercise is to bring uniformity to measures taken by financial institutions to better protect themselves against imminent cybersecurity threats. There are significant documentation required to achieve this standard. Right from preparing for incident reporting to presenting company’s risk assessment report, the CISO is required to handle a lengthy root of documentation. Upon identifying a potential threat, the CIO is also responsible to document remediation efforts undertaken to ensure the threat is neutralized. 


23 NYCRR Part 500 CompCiti eBook banner