23 NYCRR 500 Explained: Requirements and How to Be Compliant
What Is 23 NYCRR 500?
In 2017, the New York State (NYS) Department of Financial Services (DFS) implemented 23 NYCRR Part 500, a regulation establishing cybersecurity requirements for financial services companies. Chapter 23 of the New York Codes, Rules, and Regulations (NYCRR) covers financial services requirements. Part 500 addresses the protection of nonpublic information. You may also see this regulation referred to as NYS DFS 500.
Who Does It Apply To?
NYCRR 500 applies to banking, insurance, and financial services companies operating in the state of New York.
According to this framework, “Covered Entities” are defined as “any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.” While this may sound like the regulation only applies to individuals, it defines “Person” as “any individual or any non-governmental entity, including but not limited to any non-governmental partnership, corporation, branch, agency or association.”
Exemptions
The regulation exempts certain types of Covered Entities. Notably, these exemptions apply to some but not all of the regulation’s provisions. Exemptions apply if you meet one or more of these criteria:
- Fewer than ten employees, including subcontractors.
- Less than $5 million in gross annual revenue in each of the last three years from New York business.
- Less than $10 million in year-end assets.
- Employee, agent, rep of another Covered Entity, and you are following that entity’s cybersecurity program.
- Do not operate, maintain, utilize, or control any IT systems and do not have access to, generate, or receive nonpublic information.
More information about which regulation provisions you might be exempt from can be found here if you meet one or more of these criteria.
Why Was This Regulation Implemented?
New York State implemented this regulation to protect financial services markets and consumers’ private information in response to the significant growth in data breaches and cyber threats. By providing a comprehensive format, this regulation aims to standardize language and security parameters for the protection of private information within the financial space.
What Are the Penalties for Non-Compliance?
Fines for violations of 23 NYCRR 500 can be significant. Here are our estimates of what the fines could be based on the NY Banking Law:
- $2,500/day during which violation continues.
- $15,000/day in the event of any reckless or unsound practice.
- $75,000/day in the event of knowing and willful violation.
What Qualifies as Nonpublic Information?
23 NYCRR 500 was designed to protect the nonpublic information (NPI) of a Covered Entity from tampering, unauthorized disclosure, access, or use that has a material adverse impact on the business, operations, or security.
Some examples of NPI include:
Individual name, number, personal mark, or other identifier with:
- Social security number, driver’s license number, identification card number.
- Account number, credit or debit card number.
- Security code, access code, or password that would permit access to an individual’s financial account.
- Biometric records.
Information from a health insurance provider or an individual that relates to:
- Mental or behavioral health of any individual or a member of the individual’s family.
- The provision of health care to any individual.
- Payment for the provision of health care to any individual.
What Are the Core Compliance Requirements?
Note a quick guide to understanding key 23 NYCRR 500 cybersecurity requirements:
Governance & Oversight
- Establish a cybersecurity program and assign a qualified Chief Information Security Officer.
- Establish a cybersecurity governance program that includes regular reporting and notifications to the executive team and annual reporting to the Board of Directors on the cybersecurity program status and material risks.
Risk & Policy Management
- Establish and maintain cybersecurity policies. These must cover data classification, business continuity and data recovery, vendor risk management, incident response, and physical security at a minimum.
Testing & Training
- Conduct annual penetration testing and bi-annual vulnerability assessments.
- Provide security awareness training to personnel and monitor activities of authorized users.
Technical Safeguards
- Use multi-factor authentication (MFA) for accessing internal networks from external networks.
- Encrypt data in transit and at rest.
Incident Response
- Notify NYS Superintendent of cybersecurity events within 72 hours.
- Submit a Certification of Compliance report annually via the DFS Cybersecurity Portal. Reports covering calendar year 2021 are due on April 15, 2023.
We Tevora Can Help
If you need help meeting 23 NYCRR 500 requirements, Tevora’s team of security experts has got you covered. We are an accredited ISO 17020 Inspection Body and have been approved to perform inspections of information systems to assess their compliance with 23 NYCRR 500. We have helped many of New York’s leading financial services companies achieve 23 NYCRR 500 compliance and would welcome the chance to do this for you.
Our Approach
Based on our extensive experience with 23 NYCRR 500, we have developed a streamlined, three-phased approach to help our clients achieve compliance.
Phase 1 – Gap Assessment
In this phase, we review your environment to identify areas of non-compliance within23 NYCRR 500. Our findings are documented in a report that describes each control objective for which a gap was found, details of the identified gaps, and recommendations for remediation.
Phase 2 – Remediation Support
We partner with your team to take the steps needed to resolve the gaps identified in Phase 1. The work we perform will depend on the identified areas of improvement and the degree to which you would like Tevora’s help with becoming compliant with closing the gaps.
In the remediation process, we often assist with::
- Documentation Support. This includes deliverables such as developing an incident response plan or documenting policies.
- Service Support. For example, penetration testing.
- Solution Implementation. We help implement security solutions such as multi-factor authentication (MFA).
- Recommendations. For example, best practice recommendationsfor the implementation of the industry’s top technologies technology.
- Configuration Assistance. We help make configuration changes needed to meet compliance requirements.
Phase 3 – Accredited Assessment
After the improvements have been implemented, we perform an ISO 17020 Accredited Assessment to validate your compliance with 23 NYCRR 500. We document the results in a formal Assessment and Attestation report that describes Tevora staff qualifications, project scope, methodology used for the assessment, and a full review of controls mapped to supporting evidence indicating that 23 NYCRR 500 requirements have been met.
Once this phase is complete, you can be confident that your information systems meet all requirements of 23 NYCRR 500.
While the number and magnitude of gaps found for each client will have an impact on timing, we are generally able to complete all three phases within three weeks.
Talk to an Expert
If you have questions about 23 NYCRR 500 or would like help bringing your organization into compliance, just give us a call at (833) 292-1609 or email us at sales@tevora.com.
Why Clients Choose Tevora
Founded in 2003, Tevora is a specialized management consultancy focused on cybersecurity, risk and compliance services. Based in Irvine, CA, our experienced consultants are devoted to supporting the CISO in protecting their organization’s digital assets. We make it our responsibility to ensure the CISO has the tools and guidance they need to build their departments, so they can prevent and respond to daily threats.
Our expert advisors take the time to learn about each organization’s unique pressures and challenges, so we can help identify and execute the best solutions for each case. We take a hands-on approach to each new partnership, and –year after year –apply our cumulative learnings to continually strengthen the company’s digital defenses.
FAQs
What is the main purpose of 23 NYCRR 500?
23 NYCRR 500 is a cybersecurity regulation issued by the New York State Department of Financial Services (NYDFS). Its primary goal is to ensure that financial institutions and other regulated entities maintain a robust cybersecurity program to protect sensitive customer data and the integrity of the financial system.
Who enforces 23 NYCRR 500?
The New York State Department of Financial Services (NYDFS) is responsible for enforcing 23 NYCRR 500. The agency conducts examinations, investigates potential non-compliance, and can issue penalties for violations.
Who qualifies as a Covered Entity?
A “Covered Entity” includes any individual or organization operating under a license, registration, charter, certificate, permit, or similar authorization under New York’s banking, insurance, or financial services laws. This includes banks, insurance companies, mortgage brokers, and other financial services firms regulated by NYDFS.
How do I file an exemption?
Covered Entities that meet specific criteria—such as having fewer than 10 employees or under $5 million in gross annual revenue—may qualify for a limited exemption. Exemptions must be filed through the NYDFS cybersecurity portal by the applicable deadline each year.
What are the reporting timelines for cyber incidents?
Covered Entities must report any cybersecurity event that has a reasonable likelihood of materially harming the business or affects normal operations within 72 hours of discovery. Reporting must be done via the NYDFS online reporting system.
What happens if I don’t comply?
Failure to comply with 23 NYCRR 500 can lead to regulatory enforcement actions, including civil monetary penalties, reputational damage, and increased regulatory scrutiny. NYDFS has publicly penalized firms for non-compliance, reinforcing the importance of ongoing adherence.
Do I need to submit an annual certification?
Yes. Covered Entities must submit an annual certification to NYDFS by April 15th each year, attesting to their compliance with the regulation. This certification must be signed by a senior officer or board member and should reflect a thorough internal review.
Tevora Webinar
For a deeper dive on this subject, check out our Introduction to 23 NYCRR 500 webinar.
Additional Resources
Here are some resources that provide additional detail on 23 NYCRR 500 and related topics:
