Skip to main content

What you need to know about 23 NYCRR 500.

By February 27, 2017May 14th, 2021Cybersecurity

NY DFS 23 NYCRR 500 and You

March 1, 2017 is quickly approaching.  This is the day when the State of New York’s Department of Financial Services (DFS) will officially enact the new cybersecurity requirements detailed in NY DFS 23 NYCRR 500.   What could this mean for your company?  If you do business in New York and fall under the DFS (Banking, Financial Services, Insurance, or even Educational Institutions), there is likely some work ahead that needs to be done.  While there are some exceptions in the new regulations, even the small firms have to pay attention.

Establish a Cybersecurity Program

If you don’t have one already, you will need to have an official cybersecurity program established to ensure the assessment and protection of your information systems.

Document Cybersecurity Policies

Based upon NIST cybersecurity framework, these policies lay the groundwork for a strong company infrastructure which allows for more confidence and security in your company for customers.  23 NYCRR 500 requires documented policies.  Here you can find the latest NIST 800-53r4 document which covers the necessary categories.

Establishment of a Chief Information Security Officer

This is the person responsible for overseeing the cybersecurity program and ensuring all policies are being followed.  This can be an outsourced position, as long as the Board trusts them.

Penetration Testing and Vulnerability Assessments

Annual Penetration testing and bi-annual vulnerability assessments will be an ongoing requirement.

Audit Trail

Auditing for financial transactions will need to be maintained for a minimum of five years.  In addition, audit trails related to the detection and response to cybersecurity events will need to be maintained for three years.

Cybersecurity Awareness Training

Ongoing cybersecurity education and awareness training will be required to ensure all employees are aware of current policies and are performing in a risk averse manner.

Encryption of Nonpublic Information

Nonpublic data needs to be protected within your network using encryption methods wherever possible.

Incident Response Plan

Incident Response (IR) is at the core of any cybersecurity planning.  How you deal with an incident is something that needs to be clearly documented and even practiced regularly.  A proven IR plan will go a long way to saving your company time, money and resources in the event of a cybersecurity incident.

And More!

There are many additional technology requirements which are addressed in 23 NYCRR 500 such as setting specific access privileges for employees, application security practices, configuration of multi-factor authentication, etc.

What should you do?

It can be daunting.  This sounds like a lot of work. And it can be.  However, you have seasoned professionals at your disposal who can help you with this.  Alpine Cyber Solutions has established itself as a trusted cybersecurity and cloud computing partner for many companies across various industries.  We have advised and supported companies with bolstering their cybersecurity solutions by developing NIST compliant policies and ensuring their systems align with the framework as well as their own business goals. We also provide managed security services for customers in need of continuous monitoring and incident response.  We have a team of cybersecurity experts who are well versed in the latest technologies and techniques.  We are already intimate with the NIST Cybersecurity Framework and have years of experience with the related policies, IR planning, etc.  Don’t hesitate to take advantage of our experience to help you get to where you need to be.

Dave Bock

Author Dave Bock

More posts by Dave Bock