23 NYCRR 500

NYDFS Cybersecurity Regulation: How to make sure you comply

Gain clarity and ensure compliance with a trusted partner.

Feeling overwhelmed by the NYDFS Cybersecurity Regulation? You’re not alone.

NYDFS Cybersecurity Regulation (23 NYCRR 500) sets strict requirements for financial institutions in New York State to protect customer data and safeguard their information systems. As of the end of 2023, the DFS finalized its latest amendment to the regulation.

But don’t worry – We are here to help you navigate the complexities of 23 NYCRR 500 and its latest amendment and ensure your institution remains compliant.

Find out how

The 2023 amendments in a nutshell

The November 2023 amendments to the 23 NYCRR 500 introduced several significant changes, amplifying the focus on accountability and risk management.

Key changes include

Enhanced governance
Enhanced Governance

The amendments call for enhanced governance structures, including board-level oversight and establishing a cyber security committee that is responsible for providing guidance and direction on cyber security matters.

Cybersecurity Policy
Cybersecurity Policy

Data retention must now be codified in policy and a security awareness and training policy is now required as per the latest amendments.

Annual audit
Annual Audit

 

Class A entities must conduct independent annual audits of their cyber security program.

Ransomware Reporting
Ransomware Reporting

 

A new requirement mandates reporting ransomware attacks to the NYDFS within 72 hours of detection, regardless of their perceived impact on the covered entity.

 

Asset Management
Asset Management and Data Retention

Affected entities are required to produce and maintain a complete, accurate and documented asset inventory updated at a defined frequency and which tracks key information for each asset.

Certification Signed by the CEO
Certification Signed by the CEO

The annual certification of compliance must be signed by the CEO of the entity.

Does the 23 NYCRR 500 apply to you?

The 23 NYCRR 500 applies to various financial institutions operating in the State of New York.

This includes

Applies to

Banks, Trust Companies, and Banking Organizations
This category includes traditional banks, trust companies, and any organization defined as a bank under the New York State Banking Law.

Applies to

Insurance Companies
The regulation covers all insurance companies licensed to transact business in New York State.

Applies to

Charterers and Licensed Lenders
Entities authorized by the NYDFS to act as money transmitters or engage in similar financial activities are covered.

Applies to

Pension Brokers and Fund Administrators
Pension brokers and employee welfare fund administrators licensed by the NYDFS must comply.

Applies to

Foreign Banks with a New York Branch
Foreign banks operating a branch in New York State must adhere to the regulation’s requirements.

The regulation also holds the following parties accountable

C-suite executives (CEO)
Ultimately responsible for signing the annual compliance certification.

Board of directors

Board of Directors (BoD)
Holds the ultimate responsibility for cyber risk management and must possess cyber security knowledge.

Legal

Legal, Regulatory Compliance, and Risk Management
Ensure regulation adherence and cyber risk management.

IT

IT and Cyber Security Decision Makers (CIO, CISO)
Tasked with implementing and maintaining the cyber security program.

How we can help you stay compliant

We’re security builders with a proven track record of over 30 years in the cyber security industry. Our research-driven consultants don’t just identify problems—they solve them by thinking like attackers themselves.

We believe in co-security, working as an extension of your team to achieve your goals. We are your trusted partner because we believe in the following:

01

Clear and concrete advice

We give clear, concise explanations of the regulation, cutting through the jargon and empowering you to make informed decisions.


02

Tailored and actionable solutions

We go beyond theory, offering practical guidance and proven solutions to address your specific needs.


03

Experience you can trust

With over 30 years of cyber security experience, we have a proven track record of helping organizations – including some of the world’s largest financial institutions – achieve compliance and mitigate cyber risks.


Our NYCRR service offerings

We understand the complexities of the 23 NYCRR 500 and its challenges.

That’s why we offer a comprehensive suite of services designed to help you achieve and maintain compliance efficiently.

Cyber Security Program Design | Security Strategy


Our experts help you design and implement a robust cyber security program that meets the regulation’s requirements.

 

→ This service helps you fulfill the §500.02 Cybersecurity Program (b) requirement.

Annual Independent Audit of the Cyber Security Program | Cyber Security Maturity Assessment


We conduct thorough cyber security maturity assessments (CMAs) modeled after our proven PCI DSS compliance assessments.

→ This service helps you fulfill the §500.02 Cybersecurity Program (b) requirement.

Remediation Plan Development | Security & Risk Management


Following a CMA, we’ll help you craft a comprehensive remediation plan to address identified gaps.

 

→ This service helps you fulfill the §500.17 Notices to Superintendent (b)(1)(ii) requirement.

Penetration Testing | Security Assurance


We offer penetration testing services to identify and address vulnerabilities in your information systems.

 

→ This service helps you fulfill the §500.05 Vulnerability Management (a) requirement.

Incident Response Plan Testing | Incident Readiness Exercises


We conduct realistic incident response plan testing exercises to ensure your team is prepared to handle security incidents effectively.

→ This service helps you fulfill the §500.17 Notices to Superintendent (b)(1)(ii) requirement.

Annual Reporting | Board of Directors Reporting Package


After a CMA, we can help you create a BoD reporting package that meets 23 NYCRR 500 requirements.

 

→ This service helps you fulfill the §500.04 Cybersecurity Governance (b) requirement.

Examination Support

We help you throughout the NYDFS 23 NYCRR 500 examination process, including pre-examination preparation and post-examination support.

Take the first step to 23 NYCRR 500 compliance with a clear picture of your exposure

Navigating the 23 NYCRR 500 can be daunting. That’s why our no-nonsense experts are here to help you achieve compliance.

We combine industry-leading security solutions with a deep understanding of the regulation to give practical guidance and actionable solutions.

 

Starter package: What’s your 23 NYCRR 500 exposure?

This package includes interviews with key executives and service owners to define your company’s NYCRR scope and a high-level roadmap to address the most significant gaps.

Don’t wait until a cyber attack strikes. Proactively ensure you’re compliant with 23 NYCRR 500.

 

Take the next step to 23 NYCRR 500 compliance with a clear picture of your exposure

Contact us today, and let us guide you on the path to a secure future.

Complete the form and we will be in touch as soon as possible to discuss your case.

Book a Meeting

Not Sure Yet? Let’s Talk!

We offer a free 60-minute consultation with our cyber security experts to discuss your 23 NYCRR 500 compliance needs.

Book a meeting

Related content

October 14, 2024 Events, Webinars

Webinar: Navigating the NYDFS Cybersecurity Regulation

During this webinar, our experts will take one section of the NYDFS Cybersecurity Regulation and apply it to an anonymized company.

Read more
June 13, 2024 Webinars

NYDFS 500: Simplifying the second amendment

During this webinar, our experts review and summarize the key changes to the Second Amendment, offering recommendations and advice on how organizations can ensure they remain compliant.

Read more
August 31, 2023 Our thinking

NYDFS 500 cybersecurity regulation: What’s changed?

This document provides interesting insights into the thought process of covered entities and NYDFS as they work toward finalizing the second amendment.

Read more
Whitepapers

NYDFS 500 – Plan for stronger cyber security compliance

This whitepaper discusses the “bar raisers” -changes of NYDFS 500 that will require action even from companies currently in compliance.

Read more
Whitepapers

NYS DFS 500 amendment explainer

This whitepaper discusses the “bar raisers” -changes of NYDFS 500 that will require action even from companies currently in compliance.

Read more
February 16, 2024 Our thinking

NYDFS 500 vs. DORA: Comparison for European financial institutions

This is a comprehensive comparison of the NYDFS 500 and DORA to help European financial institutions to prepare for the Digital Operational Resilience Act.

Read more

Check out our latest research on WithSecure Labs

For techies, by techies – we share knowledge and research for public use within the security community. We offer up-to-date research, quick updates, and useful tools.

Go to WithSecure Labs

Our accreditations and certificates

Contact us!

Our team of dedicated experts can help guide you in finding the right solution for your unique issues. Complete the form and we are happy to reach out as soon as possible to discuss more.