Technology Blog »

About New York's Cybersecurity Regulation 23 NYCRR 500


23 NYCRR 500 New York Cybersecurity Regulation

If you work in the NY insurance, banking or finance industry you are going to want to pay careful attention to this article about the sweeping new regulations being placed on businesses and organizations that have licenses issued by New York's Department of Banking and Financial Services (DFS) as your business is most likely about to have to make serious changes to your IT cyber security processes, technical safeguards and and governance.  The Initial Deadline for Compliance is 8/28/2017

New York Cybersecurity Regulation (23 NYCRR 500) – who it affects, what is required and deadlines for compliance and exemptions

Do They Affect Me? Who can get 23 NYCRR 500 Exemptions?  What is a limited exemption mean?

The New York Department of Financial Services (NYDFS) promulgated a new set of cybersecurity regulations for the banking, insurance, and financial sectors operating within the state. 23 NYCRR 500 went into effect on March 1, 2017. With these regulations, New York is now the first state in the country to mandate minimum cybersecurity standards. 23 NYCRR 500 sets data security requirements for all financial institutions. We have been fielding many calls from clients inquiring about these trailblazing rules. This article outlines the entities the regulations cover, the requirements those covered entities must adhere to, and a timeline for compliance.

Who the Regulations Cover

23 NYCRR 500 applies to individuals and non-governmental entities operating in the state of New York under authorization of the Banking Law, the Insurance Law, or the Financial Services law  and are known as (Covered Entities).  Some examples would be Insurance companies, independent insurance adjusters as well as Financial services companies and banks.

Am I exempt from 23 NYCRR 500?

A Covered Entity may have a limited exemption from certain provisions* of the regulations if it has:

  • Fewer than 10 employees, including any independent contractors of the entity or its affiliates located in New York or responsible for business of the entity
  • Less than $5 million in gross annual revenue in each of the last three fiscal years from New York business operations of the entity and is affiliates
  • Less than $10 million in year-end total assets, including assets of the affiliates, calculated in accordance with generally accepted accounting principles

23 NYCRR 500.19(a) *500.04, 500.05, 500.06, 500.08, 500.10, 500.12, 500.14, 500.15, and 500.16

Certain entities that do not handle classes of nonpublic information may be eligible for a limited exemption from certain provisions. 23 NYCRR 500.19(c) and (d).

If an entity qualifies for one of the exemptions, it must file a Notice of Exemption within 30 days of the determination of the exemptions 23 NYCRR 500.19(e) but it is also very important to note that even if you are covered under a limited exemption you will still need to comply with several of the requirements of the new law.

Basic Requirements of 23 NYCRR 500

These cybersecurity regulations are designed to promote the protection of customer information and the information technology systems of the regulated entities. Each company must assess its specific risk profile and design a program that addresses its risks in a robust fashion. Management must be informed of any risks, and how they evolve over time (23 NYCRR 500.09(a). Senior management is responsible for the entity’s cybersecurity program and must file an annual certification confirming compliance with the regulations.

Covered entities must implement and maintain a cybersecurity program and written policies, that are approved by a senior officer, board of directors or equivalent governing body, that identify the policies and procedures for the protection of its information systems and nonpublic information stored on those systems. That cybersecurity policy must be based on a risk assessment and address the following areas where applicable:

23 NYCRR 500.03 As you can see, the regulations go beyond consumer protection to include business continuity, disaster recovery, asset inventory, and systems operations.

The Cybersecurity program must cover policies and procedures for:

  • Cybersecurity personnel and intelligence
  • Third party service provider security
  • Multi-factor of 2FA authentication
  • Limitations on data retention
  • Continuous Training and monitoring of personnel
  • Encryption of non-public information
  • Incident response plan

23 NYCRR Parts 500.10-16

Once the cybersecurity program is in place, it must be continuously monitored or periodically tested via periodic penetration testing and vulnerability assessments. 23 NYCRR 500.05 Entities are also required to review access privileges to information systems that provide access for non-public information, application security policies, and the risk third party service providers present. 23 NYCRR 500.05-08.

The entity needs to designate a Chief Information Security Officer (CISO) who oversees the cybersecurity program and enforces cybersecurity policy. That person can be an employee or a third-party service provider. The CISO must report, an a minimum, annually to the board of directors. 23 NYCRR 500.04.

An entity must notify the NYDFS superintendent of within 72 hours of the determination of a cybersecurity event that impacts the entity of which notice is required to be provided to any government body, self-regulatory agency, or any other supervisory body; OR that has a reasonable likelihood of materially harming any material part of the entity’s normal operations. 23 NYCRR 500.17 This includes unsuccessful attempts. 23 NYCRR 500.01(d). Annual self-certifications are also required.

Even if you are an exempt entity, you must conduct the risk assessment, establish policies for third-party service providers, establish data retention policies, and submit breach and annual notice requirements.

Deadlines for Compliance

The requirements have varying compliance deadlines. 23 NYCRR 500.22 Here is an overview:

August 28, 2017

  • Cybersecurity program in place
  • Cybersecurity policy created
  • Designation of a CISO
  • Limitation of user access privileges
  • Use, training and verification of cybersecurity personnel and intelligence
  • Development of an incident response plan

February 15, 2018

March 1, 2018

  • Monitoring and periodic penetration testing and vulnerability assessments
  • Risk assessment+
  • Multi-factor authentication
  • Training and monitoring
  • First CISO report to board of directors

September 1, 2018

  • Implementation of audit trail
  • Application security
  • Limitations on data retention+
  • Establishment of a continuous monitoring program
  • Encryption of nonpublic information

March 1, 2019

  • Creation of third party service provider security policy+

+Not subject to exemptions: These are just a summary of the more prominent regulations. See the 23 NYCRR 500 for the entire regulation.