Are you ready for New York State DFS 23 NYCRR 500?

March 14, 2017

Organizations operating under the Banking, Insurance or Financial Services Laws or New York State welcome to the DEPARTMENT OF FINANCIAL SERVICES, 23 NYCRR 500.

Are you a New York State Covered Entity?

The rules define “Covered Entity” as “any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law, or the Financial Services Law [of New York].”

You may be exempt….

Certain entities may qualify for exemptions from the cybersecurity rules including, for example, entities that (i) have fewer than 10 employees or (ii) have less than $5,000,000 in gross annual revenue for each of the last three fiscal years from New York business operations of the Covered Entity and its Affiliates, or (iii) less than $10,000,000 in year-end total assets, calculated in accordance with generally accepted accounting principles, including assets of all Affiliates. Section 500.19.

What are you required to do and by when…

By 8/28/2017 – Get started, your getting behind!

  • Appoint a Chief Information Security Officer (Section 500.04)
  • Start building, documenting and maintaining a cybersecurity program (Section 500.02) designed to protect the confidentiality, integrity and availability of your Information Systems and the organization’s non-public information data. This will include a Cybersecurity Policy (Section 500.03) to address (a) information security; (b) data governance and classification; (c) asset inventory and device management; (d) access controls and identity management; (e) business continuity and disaster recovery planning and resources; (f) systems operations and availability concerns; (g) systems and network security; (h) systems and network monitoring; (i) systems and application development and quality assurance; (j) physical security and environmental controls; (k) customer data privacy; (l) vendor and Third Party Service Provider management; (m) risk assessment; and (n) incident response.
  • Create an Incident Response Plan (Section 500.16) – Something to start with found here.
  • Limit user access privileges to Information Systems that provide access to Nonpublic Information and periodically review such access privileges. (Section 500.07)
  • Create a process to notify the superintendent of a security event no later than 72 hours after the determination the event has occurred. (Section 500.17)
  • Hire, train and test (“verify”) qualified cybersecurity personnel (or third party) to detect, respond, recover and report on cyber security issues impacting the organization. (Section 500.02)(b) You are legally responsible and required to:
  1. identify and assess internal and external cybersecurity risks that may threaten the security or integrity of Nonpublic Information stored on your Information Systems;
  2. use defensive infrastructure and the implementation of policies and procedures to protect your Information Systems, and the Nonpublic Information stored on those Information Systems, from unauthorized access, use or other malicious acts;
  3. detect Cybersecurity Events;
  4. respond to identified or detected Cybersecurity Events to mitigate any negative effects;
  5. recover from Cybersecurity Events and restore normal operations and services; and
  6. fulfill applicable regulatory reporting obligations.

How NetWatcher can help –Managed Detection & Response of Cybersecurity Events & Vulnerabilities.

NetWatcher Whitepaper

By 2/15/2018 (compliance to 23 NYCRR 500)

  • Submit your annual written statement (to the superintendent) covering the prior calendar year certifying that you are in compliance with the 23 NYCRR 500 requirements.

By 3/1/2018 (compliance to 23 NYCRR 500)

  • Chief Information Security Officer (Section 500.04) will at a minimum once a year report on your cybersecurity program and material cybersecurity risks. First report due 01 March, 2018.
  • Conduct and document a periodic risk assessment (Section 500.09) against policies and procedures that include:
    • criteria for the evaluation and categorization of identified cybersecurity risks or threats facing your organization;
    • criteria for the assessment of the confidentiality, integrity, security and availability of your Information Systems and Nonpublic Information, including the adequacy of existing controls in the context of identified risks;
    • requirements describing how identified risks will be mitigated or accepted based on the Risk Assessment and how the cybersecurity program will address the risks.
  • Institute the use of Multi-Factor Authentication (Section 500.12 Multi-Factor Authentication)
  • Create and manage a Cyber Training policy and program (Section 500.14) for all staff
  • Institute Continuous monitoring OR annual periodic Penetration Testing AND bi-annual vulnerability assessments. (Section 500.05).  Learn how NetWatcher can help with Continuous Monitoring:

NetWatcher Whitepaper

By 9/4/2018 (compliance to 23 NYCRR 500)

  • Document procedures used to limit user access privileges to Information Systems (Section 500.08)
  • Document procedures, guidelines and standards designed to ensure the use of secure development practices for in-house developed applications (Section 500.08)
  • Create and manage policy for Data Retention (Section 500.13)
  • Create and manage an Encryption policy for non-public information (Section 500.15)
  • Create and managed a record retention policy — keep records required to reconstruct financial transactions for 5 years and keep cyber security event audit trails for up to three years.

By 3/1/2019 (compliance to 23 NYCRR 500)

  • Document and manage policy for managing Third Party Service Provider Security (Section 500.11)


You can find the specific language on 23 NYCRR 500 here.