23 NYCRR 500 Cybersecurity Compliance for Financial Institutions

What is the NYDFS Cybersecurity Regulation?

Research shows the rate of breaches on the financial services sector tripled over the past five years.* After all, this is literally where the money is.

This makes financial institutions a target-rich environment for cybercriminals, since they offer multiple avenues for profit such as extortion, theft, and fraud. Beyond the obvious motivation of financial gain, nation-states and hacktivists also target the financial sector for political and ideological reasons.

As a response to the ever-growing threat posed to information and financial systems, the NY Department of Financial Services (NYDFS) has issued the NYDFS Cybersecurity Regulation (23 NYCRR 500), a relatively new set of regulations that places cybersecurity requirements on all covered financial institutions.

The requirement aims to protect DFS regulated entities as well as New York consumers whose private information may be revealed and/or stolen.

Who must comply with 23 NYCRR 500?

The NYDFS Cybersecurity Regulation covers any organization, including nonresident licensees, that is regulated by the New York Department  of Financial Services. This includes:

  • Licensed lenders
  • State-chartered banks
  • Trust companies
  • Service contract providers
  • Private bankers
  • Mortgage companies
  • Insurance companies doing business in New York
  • Non-U.S. banks licensed to operate in New York

What are the 23 NYCRR 500 Requirements?

The regulation requires covered entities to assess their cybersecurity risk profile and implement and maintain a comprehensive cybersecurity program that recognizes and mitigates that risk and in accordance with a specific  compliance time line.

A covered entity is defined as “any person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.”

NYDFS Required Cybersecurity Services

In the 23 NYCRR 500, the NYDFS communicates a strong sense of urgency for financial institutions to create a cybersecurity program:

“It is critical for all regulated institutions that have not yet done so to move swiftly and urgently to adopt a cybersecurity program and for all regulated entities to be subject to minimum standards with respect to their programs. The  number of cyber events has been steadily increasing and estimates of potential risk to our financial services industry are stark. Adoption of the program outlined in these regulations is a priority for New York State.”

The 23 NYCRR 500 mandate requires several minimum standards including:

  • Cybersecurity Program Development
  • Cybersecurity Policy
  • Chief Information Officer
  • Risk Assessment
  • Penetration Tests
  • Training and Monitoring
  • Incident Response Plan

Sword & Shield’s NYDFS Compliance Services

Sword & Shield partners with you to achieve NYDFS compliance. We take the stress off you by helping to make sense of the new NYDFS requirements and how they apply to your business. Our security experts help you to identify your risks and vulnerabilities, develop a remediation plan, and continue to work with you to maintain or improve your 23 NYCRR 500 compliance.

*2018 “Cost of Cyber Crime Study” published by Accenture and the Ponemon Institute

Download the Data Sheet

NYDFS Compliance Services Datasheet

NYDFS Compliance Services

Fast Track Your NYDFS Compliance

Request a Free 23 NYCRR 500 Certification Consultation