August 16, 2018

Last Updated on January 19, 2024

Entities registered with New York State’s Department of Financial Services (NYDFS) are subject to compliance with the 23 NYCRR 500 (aka “Part 500” or “NYDFS 500”) cybersecurity regulation, and a new deadline is fast approaching.

Entities who must comply include:

  • Bank and trust companies
  • Insurance firms
  • Mortgage lenders
  • Investment brokers
  • Other financial services providers

Effective March 1, 2017, the mandate required each “covered entity” to assess its cybersecurity risk profile with respect to all its data—not just customers’ personal data—and implement a robust risk mitigation program that encompasses policies, procedures, and controls. Boards of Directors must certify annually that their firm is compliant. 

5 Important Rules for the Sept. 3 Deadline

23 NYCRR Part 500 has a series of compliance deadlines, and a big one is coming up on Monday, September 3rd.  By that date, all covered entities must be ready to prove they comply with five additional sections of the regulation:

500.06—Audit Trail

Maintain an audit trail that enables effective cyber event detection and response, including the ability to reconstruct financial transactions to support business continuity. 

500.08—Application Security

Document procedures and standards to ensure secure development practices for in-house applications, plus a program for assessing the security of third-party software. 

500.13—Limitations on Data Retention

Secure, periodic disposal of “nonpublic information” no longer needed, in alignment with documented policies and procedures. 

500.14—Monitoring of Authorized Users 

Implement controls to monitor authorized users’ activity and detect unauthorized access or tampering. 

500.15—Encryption of Nonpublic Information 

Encrypt nonpublic information both in transit and at rest, and provide alternative controls where that is deemed infeasible. 

Many organizations will struggle with some or all of these requirements. For example, implementing a strong SDLC to address Application Security is a challenge even in our largest and most mature clients. Likewise, many firms will need to implement log consolidation/SIEM tools to successfully monitor users and detect unauthorized attempts to access or alter data.
Achieving and maintaining compliance with 23 NYCRR 500 and other cybersecurity regulations can be complex and challenging. However, the process need not be stressful or put your business at risk of sanctions.
To start a conversation on how best to address your cybersecurity compliance goals and concerns, contact Pivot Point Security.

For more information on NYDFS compliance deadlines:

  • You can read the text of the 23 NYCRR 500 regulation here. 
  • A comprehensive compliance timeline for the regulation. 

The NYDFS regulation is a response to information & financial systems' growing security threats

Required assessments focus on discovering and controlling an organization’s risks.
For a “common sense” breakdown, download our NYDFS Roadmap now.