.png)
23 NYCRR 500: Demystified
What is 23 NYCRR 500?
It’s a fairly new set of cybersecurity standards (15 to be exact) designed to help businesses establish policies & standard operating procedures that will:
• identify, assess, and detect cyber risks;
• put defensive mechanisms in place to protect against threats; and
• react to and recover from cyber-attacks by restoring normal business operations as quickly as possible after an incident.
Who does 23 NYCRR 500 apply to?
All businesses regulated by the NY State Department of Financial Services (DFS) are expected to comply with the new standards that have been established. This includes any business required to operate under a license (or similar authorization) under the Banking Law, the Insurance Law, or the Financial Services Law.
Is anyone exempt from 23 NYCRR 500?
Yes – sort of. There are partial exemptions. Businesses with fewer than 10 employees (including independent contractors), or less than $5,000,000 in gross annual revenue in each of the last three fiscal years, or less than $10,000,000 in year-end total assets don’t have to comply with certain sections of 23 NYCRR 500.
In addition, businesses who don’t use, maintain, or control any Information Systems, and that do not control, own, access, generate, receive or possess non-public information (data) are also exempt from certain sections of 23 NYCRR 500.
For an in-depth explanation of exemptions, refer to section 500.19 of the 23 NYCRR 500 regulation, or get in touch with our team.
Why was 23 NYCRR 500 introduced?
As technology evolves at the speed of light, the risk of damaging cyber-attacks and security incidents increases. (This is a fact for every business – not only those regulated by the NYS DFS.) The standards established by 23 NYCRR 500 provide a minimum security framework that all regulated businesses (and their customers) will benefit from. Guidelines are provided to help business leaders develop policies & operating procedures that will safeguard non-public data and information systems.
As a result of the compliance process, businesses will have a documented information security framework that considers the following:
- Cyber Security Program & Policy (500.02 & 500.03)
- Designation of Chief Information Security Officer (500.04)
- Penetration Testing & Vulnerability Assessments (500.05)
- Audit Trail Standards & Policies (500.06)
- Access Control Standards & Policies (500.07)
- Application Security (500.08)
- Periodic Risk Assessments (500.09)
- Cyber-security personnel & Intelligence (500.10)
- Third party service provider security policies & compliance (500.11)
- Multi-Factor Authentication (500.12)
- Limitations on Data Retention (500.13)
- Monitoring & Awareness Training for Authorized Users (500.14)
- Encryption of Non-public Data (500.15)
- Incident Response Plan (500.16)
- Notifications to Superintendent (500.17)
I reviewed the regulation and I’m overwhelmed and confused. What should I do?
Relax! At first glance, the standards might look overwhelming, but there’s a transition period that allows time for planning & implementation; and there’s flexibility built in. Admittedly, the flexibility seems confusing at first; but remember, this is a framework to establish minimum cybersecurity standards.
Work with a dedicated IT team, or a third-party IT service provider (like us!) to evaluate your business against 23 NYCRR 500 guidelines and establish standards accordingly. When it makes sense for your business, additional security measures should be considered and implemented – over and above the guidelines that are outlined in 23 NYCRR 500. Over time, all security standards that you set for your business should be periodically re-evaluated since technology changes rapidly.
How long do I have to get with the program?
When 23 NYCRR 500 was introduced last year, NY State provided a helpful list of key dates (below) to define an important call-to-action.
It’s important to note that when filing for certification of compliance online, a senior manager or board member is essentially stating that, to the best of their knowledge, based on careful review, the business entity is 23 NYCRR 500 compliant for the previous calendar year. Once you’ve filed for certification or partial exemption, transitional periods allow time for planning and implementation of newly developed and/or revised security policies & procedures resulting from your certification. Utilize this time to evaluate and contract with service providers when applicable, and put any new security plans into action.
Key Dates:
- March 1, 2017 – 23 NYCRR Part 500 becomes effective.
- August 28, 2017 – 180-day transitional period ends. Covered Entities are required to be in compliance with requirements of 23 NYCRR Part 500 unless otherwise specified.
- September 27, 2017 – Initial 30-day period for filing Notices of Exemption under 23 NYCRR 500.19(e) ends. Covered Entities that have determined that they qualify for a limited exemption under 23 NYCRR 500.19(a)-(d) as of August 28, 2017 are required to file a Notice of Exemption on or prior to this date.
- February 15, 2018 – Covered Entities are required to submit the first certification under 23 NYCRR 500.17(b) on or prior to this date.
- March 1, 2018 – One-year transitional period ends. Covered Entities are required to be compliant the requirements of sections 500.04(b), 500.05, 500.09, 500.12 and 500.14(b) of 23 NYCRR Part 500.
- September 3, 2018 – Eighteen-month transitional period ends. Covered Entities are required to be compliant with the requirements of sections 500.06, 500.08, 500.13, 500.14(a) and 500.15 of 23 NYCRR Part 500.
- March 1, 2019 – Two-year transitional period ends. Covered Entities are required to be compliant with the requirements of 23 NYCRR 500.11.
.png)
.png)
.png)
.png)