NY State Cybersecurity Regulations (23 NYCRR 500)

What types of organizations must comply?

The NYDFS Cybersecurity Regulation covers any organization that is regulated by the Department of Financial Services. This includes:

  • Licensed lenders
  • State-chartered banks
  • Trust companies
  • Service contract providers
  • Private bankers
  • Mortgage companies
  • Insurance companies doing business in New York
  • Non-U.S. banks licensed to operate in New York
What is 23 NYCRR 500?

New York State Department of Financial Services (NYDFS) has used its authority under state law to protect consumers and to “ensure the safety and soundness of the institution on behalf of their clients,” to create new regulations around cybersecurity. These apply to any registered entity providing financial services including insurance companies, banks, as well as financial services institutions. The 23 NYCRR 500 is part 500 of the NYDFS’s overall body of regulation.

In short, 23 NYCRR 500 requires supervised entities to assess their cybersecurity risk profiles and implement a comprehensive plan that recognizes and mitigates that risk. Certain regulatory minimum standards have been set to assist organizations in preventing data breaches, including:

  • Risk-based minimum standards for information technology systems, including data protection and encryption, access controls, and penetration testing.
  • Requirements that a program is adequately funded, overseen by a chief information security officer (which can include a third-party service provider), and implemented by qualified cybersecurity personnel.
  • Effective incident response plans that include preserving data in order to respond to data breaches including notice within 72 hours to the NYDFS of material events.
  • Accountability provided by identification and documentation of deficiencies, remediation plans, and certifications of compliance on an annual basis.
  • Audit trails designed to detect and respond to cybersecurity events.
  • Annual reports covering the risks faced, all material events, and the impact on protected data.