23 NYCRR 500

New York’s Cybersecurity Requirements for Financial Services Companies

Download Solution Brief

Overview

In response to the increasing cybersecurity threat posed to information and financial systems, the New York State Department of Financial Services (DFS) has passed the State of New York’s Cybersecurity Requirements for Financial Services Companies (23 NYCRR 500). This law took effect on March 1, 2017 in an effort to protect customer information, as well as the IT systems of regulated entities. The adoption timeline for the specific requirements of the regulation continues throughout 2018 and 2019.

What does this mean for you?

If you are a financial services organization licensed and/or regulated by the New York State DFS, you are now required to assess your specific security risk profile and design a program that addresses your organization’s risks, as well as file an annual certification that confirms you are in compliance with the regulations.

What are the requirements?

The complete list of requirements can be found here, but here is a partial list:

  • Implement a cybersecurity program that can:
    • Identify and assess internal and external cybersecurity risks
    • Detect and respond to cybersecurity events
    • Fulfill applicable regulatory reporting obligations
  • Designate a Chief Information Security Officer (CISO) and utilize qualified cybersecurity personnel (may be from a third party service provider)
  • Continuous monitoring or periodic penetration testing and vulnerability assessments
  • Provide and require all personnel attend regular cybersecurity awareness training
  • Secure applications by ensuring the use of secure development practices for in-house developed applications, and implement procedures for assessing and testing the security of all externally developed applications
  • Assess risk to non-public information and information systems accessible or held by third parties, and conduct third-party security assessments at least annually
  • Implement controls, including encryption, to protect non-public data in transit and at rest
  • Establish an incident response plan

Get these additional 23 NYCRR 500 resources to help you prepare:

What are the deadlines?

Download this free infographic to get a list of the deadlines you need to meet.

Infographic

Did you miss our webinar?

Watch a replay for a full discussion on everything you need to know.

Webinar

Download our 23 NYCRR 500 Solution Brief

Complete overview of each 23 NYCRR 500 requirement, and how they map to the EventTracker solution.

Are you a Managed Service Provider or Reseller?

NOTE: Your solution brief will be sent to the email address you provide.