What is the 23 NYCRR 500?

Maria T. Vullo, New York’s Superintendent of Financial Services, implemented Part 500 of Title 23 of the Official Compilation of Codes, Rules and Regulations in an attempt to standardize cybersecurity requirements for financial services organizations operating in the State of New York.

The purpose of this regulation is to ensure that financial services entities carry out their due diligence to comprehensively protect their customers and information systems from cyberattacks.

The regulation requires covered entities (CEs) to implement the following requirements by August 18, 2017:

  • A cybersecurity program - Develop, maintain and document a cybersecurity program designed to protect the confidentiality, integrity and availability of the covered entity's information systems. This program must be based on the entity's risk assessment. All documentation and information relevant to the program must be made available to the superintendent upon request.
  • Cybersecurity policy and incident response plan - Develop and maintain a written cybersecurity policy and incident response plan based on the entity’s risk assessment.
  • Chief Information Security Officer (CISO) - Nominate a qualified individual for overseeing and implementing the cybersecurity program and enforcing cybersecurity policy. The person does not need a CISO title, and a third party can be used.
  • Training cybersecurity personnel - Utilize qualified personnel (including third-party service providers) with current industry knowledge and training to manage changing cybersecurity threats and develop the right countermeasures.
  • Limit access privileges - Companies are expected to limit user access privileges, and to periodically review those privileges.
  • Notifying the Superintendent of cybersecurity events - Effective as of August 28, 2017, covered entities must notify the NYDFS no later than 72 hours after it determines an act or attempt, successful or unsuccessful, was made to gain unauthorized access to, disrupt, or misuse IT resources or the information stored on it.
  • Risk assessment - Covered entities are advised to conduct a limited risk assessment, as it affects the development and implementation of a company’s cybersecurity program, cybersecurity policies, and access privilege restrictions.