Technology Blog »

17 Regulations of 23 NYCRR Part 500 and The Deadlines for Each

deadline for compliance NYS DFS 23 nycrr 500
posted by Rich Delaney, CTO

July 01, 2018

The New York State Department of Financial Services has stipulated 17 separate cybersecurity regulations which apply to all covered entities under its jurisdiction.  The purpose of the regulations are to enhance data security, and to prepare for and prevent cybersecurity attacks against financial institutions that hold confidential non-public or customer information otherwise known as PII.  Delaney Computer Services has compiled a list of covered entities and their respective requirements under §500 of the law.  In addition to the list of requirements there is a list of deadline dates for each of the requirements. 

Here is a short list of the covered entities under the NYS DFS 23NYCRR Part 500 Rules:

  • Insurance companies
  • Insurance agents
  • Banks
  • Charitable Foundations
  • Consumer lenders
  • Mortgage Brokers
  • Holding companies
  • Premium finance agencies

Limited Exemption under §500.19

In the event that you fall under and are claiming limited exemption status under §500.19 this list marks eight of seventeen specific cybersecurity regulations that you still are required to adhere to with their respective dates. DCS has also seen a lot of confusion with respect to Exempt vs. Limited Exemption and it is important for covered entities to understand that limited exemption means limited and you still must comply with specific regulations under 23 NYCRR Part 500 including respective deadline dates of compliance which still need to be implemented and adhered to.

Please Note that this is not in Date Order but in order by Section of Law

§Section  §500.19 Regulation Deadline
§500.2 Required Cybersecurity Program to be maintained 3/1/2017
§500.3 Required Written Cybersecurity Policy Approved by Senior Officer or board; may be affiliate program   3/1/2017
§500.4 Exempt Chief Information Security Officer Must Be Appointed; Can be Affiliate or Outside Contractor   3/1/2018
§500.5 Exempt Penetration testing or Continuous Monitoring 3/1/2018
§500.6 Exempt Audit Trail: maintain financial and other information for two to five years 9/1/2018
§500.7 Required Limit and Review Access Privileges to PII 3/1/2017
§500.8 Exempt Application Security: Written Procedures for In-house Applications 9/1/2018
§500.9 Required Periodic Risk Assessments in accordance with written policies 3/1/2018
§500.10 Exempt Use, Hiring and training of Qualified Cyber Security Personnel   3/1/2017
§500.11 Required Third Party Providers: Written Policy and Procedure 3/1/2019
§500.12 Exempt Multi Factor Authentication for accessing data from an external network 3/1/2018
§500.13 Required Limitations on Data Retention:  can’t maintain unnecessary data 9/1/2018
§500.14 (a)  Exempt Implement risk-based policies, procedures and controls designed to monitor and detect unauthorized access to information systems 9/1/2018
§500.14 (b)  Exempt Provide regular cybersecurity awareness training for all personnel that is updated to reflect pertinent risks identified during the risk assessment 3/1/2018
§500.15 Exempt Encryption of all  Non-Public Information 9/1/2018
§500.16 Exempt Establish a written incident response plan for cybersecurity events and incidents 3/1/2017
§500.17 Required Notice to Superintendent of cybersecurity Events 3/1/2017
§500.18 Required Maintain Confidentiality of Non-Public Information   3/1/2017