23 NYCRR 500 – DFS Compliance Consulting Services
On March 1st, 2017, the Superintendent of Financial Services (DFS) for New York State passed 23 NYCRR 500. This regulation, also known as Cybersecurity Services for Financial Services Companies, sets forth minimum standards that every banking, insurance, and financial services company licensed in New York must abide by.
Partners in Regulatory Compliance (PIRC) provides DFS Compliance Consulting Services and has created two “DFS Packages” designed to help both Limited-Exempt and Non-Exempt organizations meet compliance requirements. Per the DFS 23 NYCRR 500 regulation, Covered Entities who meet any one or more of the following conditions are considered Limited-Exempt and do not have to comply with certain sections of 23 NYCRR 500.
- Fewer than 10 employees or
- Less than $5 mil in gross annual revenue in each of the last three fiscal years or
- Less than $10 mil in year-end total assets
Limited-Exempt Requirements
- 500.02 – Cyber Security Program
- 500.03 – Cyber Security Policy
- 500.07 – Access Privileges
- 500.09 – Risk Assessment
- 500.11 – 3rd Party Service Provider Security Policy
- 500.13 – Limitations on Data Retention
- 500.17 – Notices to Superintendent
- 500.18 – Confidentiality
Non-Exempt Requirements
- 500.02 – Cyber Security Program
- 500.03 – Cyber Security Policy
- 500.04 – Chief Information Security Officer
- 500.05 – Penetration Testing & Vulnerability Assessments
- 500.06 – Audit Trail
- 500.07 – Access Privileges
- 500.08 – Application Security
- 500.09 – Risk Assessment
- 500.10 – Cybersecurity Personnel & Intelligence
- 500.11 – 3rd Party Service Provider Security Policy
- 500.12 – Multi-Factor Authentication
- 500.13 – Limitations on Data Retention
- 500.14 – Training & Monitoring
- 500.15 – Encryption of Nonpublic Information
- 500.16 – Incident Response Plan
- 500.17 – Notices to Superintendent
- 500.18 – Confidentiality
The pivotal component of 23 NYCRR 500, for both Limited-Exempt and Non-Exempt organizations, is the risk assessment required under section 500.09. This risk assessment forms the basis of understanding for what administrative, physical, and technical risks face the organization and provides an action plan for addressing and reducing or eliminating those risks. In effect, it provides a roadmap by which organizations can budget for future IT expenditures. Organizations will obviously want to spend money addressing critical and high risks before medium or low risks.
It is important for companies to consider leveraging an objective, third-party cybersecurity firm like PIRC to undertake the risk assessment. But why? PIRC will look at the risks facing your organization with no preconceived notions, no bias, and no politics. We will give you our 100% objective view and we’ll do it using the de facto standard NIST SP800-30 framework for performing risk assessments.
In addition to the risk assessment, PIRC can also help companies with the other requirements of 23 NYCRR 500, particularly the CISO role required in section 500.04. By engaging PIRC for both the risk assessment and CISO role, you’ll effectively have a partner guiding you through compliance from obtaining a risk baseline to helping you navigate the waters of risk reduction over time. For more information on our DFS Compliance Consulting Services and to schedule a complimentary consultation, contact us at (646) 863-9050.