23 NYCRR 500

On March 1st, 2017, the Superintendent of Financial Services (DFS) for New York State passed 23 NYCRR 500. This regulation, also known as Cybersecurity Services for Financial Services Companies, sets forth minimum standards that every banking, insurance, and financial services company licensed in New York must abide by.

23 NYCRR 500 was deployed in three phases with the various sections coming due on the dates below.

SectionEffective DateBrief Description
500.028/28/2017Cybersecurity Program
500.038/28/2017Cybersecurity Policy
500.048/28/2017Chief Information Security Officer (CISO)
500.04(b)3/1/2018Annual Report by CISO
500.053/1/2018Penetration Testing and Vulnerability Assessments
500.068/28/2018Audit Trail
500.078/28/2017Access Privileges
500.088/28/2018Application Security
500.093/1/2018Risk Assessment
500.108/28/2017Cybersecurity Personnel and Intelligence
500.113/1/2019Third Party Service Provider Security Policy
500.123/1/2018Multi-Factor Authentication
500.138/28/2018Limitations on Data Retention
500.14(a)(1)8/28/2018Training and Monitoring: Implement policies to monitor authorized users and detect unauthorized access to nonpublic information by such authorized users
500.14(a)(2)3/1/2018Training and Monitoring: Provide regular cybersecurity awareness training
500.158/28/2018Encryption of Nonpublic Information
500.168/28/2017Incident Response Plan
500.178/28/2017Notices to Superintendent

Partners in Regulatory Compliance (PIRC) has created two “DFS Packages” designed to help both Limited-Exempt and Non-Exempt organizations meet compliance requirements. Per the DFS 23 NYCRR 500 regulation, Covered Entities who meet any one or more of the following conditions are considered Limited-Exempt and do not have to comply with certain sections of 23 NYCRR 500.

  1. Fewer than 10 employees or
  2. Less than $5 mil in gross annual revenue in each of the last three fiscal years or
  3. Less than $10 mil in year-end total assets

Limited-Exempt Requirements

  • 500.02 – Cyber Security Program
  • 500.03 – Cyber Security Policy
  • 500.07 – Access Privileges
  • 500.09 – Risk Assessment
  • 500.11 – 3rd Party Service Provider Security Policy
  • 500.13 – Limitations on Data Retention
  • 500.17 – Notices to Superintendent
  • 500.18 – Confidentiality

Non-Exempt Requirements

  • 500.02 – Cyber Security Program
  • 500.03 – Cyber Security Policy
  • 500.04 – Chief Information Security Officer
  • 500.05 – Penetration Testing & Vulnerability Assessments
  • 500.06 – Audit Trail
  • 500.07 – Access Privileges
  • 500.08 – Application Security
  • 500.09 – Risk Assessment
  • 500.10 – Cybersecurity Personnel & Intelligence
  • 500.11 – 3rd Party Service Provider Security Policy
  • 500.12 – Multi-Factor Authentication
  • 500.13 – Limitations on Data Retention
  • 500.14 – Training & Monitoring
  • 500.15 – Encryption of Nonpublic Information
  • 500.16 – Incident Response Plan
  • 500.17 – Notices to Superintendent
  • 500.18 – Confidentiality

The pivotal component of 23 NYCRR 500, for both Limited-Exempt and Non-Exempt organizations, is the risk assessment required under section 500.09. This risk assessment forms the basis of understanding for what administrative, physical, and technical risks face the organization and provides an action plan for addressing and reducing or eliminating those risks. In effect, it provides a roadmap by which organizations can budget for future IT expenditures. Organizations will obviously want to spend money addressing critical and high risks before medium or low risks.

It is important for companies to consider leveraging an objective, third-party cybersecurity firm like PIRC to undertake the risk assessment. But why? PIRC will look at the risks facing your organization with no preconceived notions, no bias, and no politics. We will give you our 100% objective view and we’ll do it using the de facto standard NIST SP800-30 framework for performing risk assessments.

In addition to the risk assessment, PIRC can also help companies with the other requirements of 23 NYCRR 500, particularly the CISO role required in section 500.04. By engaging PIRC for both the risk assessment and CISO role, you’ll effectively have a partner guiding you through compliance from obtaining a risk baseline to helping you navigate the waters of risk reduction over time.