Explaining 23 NYCRR 500

Explaining 23 NYCRR 500 on cyberguard360.comWhat you need to know to stay secure

The financial sector is under cyber siege. Four thousand cyber-attacks a day are threatening global financial stability. Ever more sophisticated methods to extort funds and hold them hostage via ransomware are growing, with hackers evading detection with alarming ease. Statistics say that by the end of 2017 , spending on information security will reach $86.4 billion, with projections of $93 billion for 2018 and a staggering one trillion dollars by 2021.

To combat the threat and protect consumers, the New York Department of Financial Services began compliance steps toward a new standard, 23 NYCRR 500 (get an in-depth printable version here), in March 2017. Here’s our breakdown of what that means, and how businesses can play their part in a safer future.

Who does it affect?

Any entity regulated by the Department of Financial Services must comply, such as the following examples:

  • Insurance companies and agencies doing business in New York
  • Financial Service Centers
  • Mortgage Brokers
  • Mortgage companies
  • Private bankers
  • State-chartered banks
  • Trust companies
  • Service contract providers
  • Non-U.S. banks that conduct business in New York
  • Licensed lenders

Any business in doubt as to whether or not 23 NYCRR 500 applies to them should contact the Department of Financial services.

The key points

Everyone who is required to comply will have to provide evidence that they have taken steps to safeguard the confidentiality and integrity of sensitive client data. Covering areas such as information security, data governance/classification, asset inventory and device management, and access controls and identity management are of the utmost importance.

Companies have the responsibly to assess external and internal cyber risks, and implement an incident response plan which shows how they will respond in the event of a data breach. They’ll be rated on speed of response and how quickly they can inform not only DFS, but clients about the nature and scale of the breach.

The appointment of a Chief Information Security Officer (CISO) and cyber security personnel is also key. The CISO can be in-house or be provided by a third party. It’s their duty to provide qualified expertise as the cybersecurity program is implemented, and to continually oversee its operation. The CISO can also nominate a member of the organization they’ve been hired to protect; a staff member who will also become responsible for keeping the cyber side running smoothly.

Limited exemptions to 23 NYCRR 500

As the name implies, this regulation applies solely to entities operating in the state of New York. To qualify for a limited exemption, organizations must meet one or more of the following criteria:

  • Have fewer than 10 employees
  • Have less than $5 million gross annual revenue in the last three fiscal years
  • Have less than $10 million in year-end total assets

These limited exemptions are just that: limited and applicable only to certain sections of the regulation; all other sections must still be complied with. For a definitive look, pages 10 and 11 of the official notice clarify the nature of every exemption.

Important dates for 2017 and 2018

The following is a list of deadlines (past and future), most applying to the upcoming year:

  • March 1, 2017 – 23 NYCRR Part 500 becomes effective.
  • August 28, 2017 – 180-day transitional period ends. Covered Entities were required to be in compliance with requirements of 23 NYCRR Part 500 unless otherwise specified.
  • October 31, 2017 – The Limited Exemption Filing deadline was extended to this date
  • February 15, 2018 – Covered Entities are required to submit the first certification under 23 NYCRR 500.17(b) on or prior to this date.
  • March 1, 2018 – The one-year transitional period ends. Covered Entities are required to be in compliance with the requirements of sections 500.04(b), 500.05, 500.09, 500.12 and 500.14(b) of 23 NYCRR Part 500.
  • September 3, 2018 – The eighteen-month transitional period ends. Covered Entities are required to be in compliance with the requirements of sections 500.06, 500.08, 500.13, 500.14(a) and 500.15 of 23 NYCRR Part 500.
  • March 1, 2019 – The two-year transitional period ends. Covered Entities are required to be in compliance with the requirements of 23 NYCRR 500.11.

The Department of Financial Services offers this resource to answer common questions regarding 23 NYCRR 500. If your business hasn’t begun to take action toward the regulation, we recommend an immediate risk assessment of your operation to highlight any dangers.

It’s never too soon to get your cybersecurity in order. Even if you’ve missed the deadlines up until now you can still make a positive difference for yourself and your customers by taking action. In an ever more dangerous online world, we’re here to be the back-up you need.

CyberGuard 360’s clients across four states and 40 industries are guided safely through the threat landscape. Our wide array of services includes system security suites, risk assessment, education, and training and disaster recovery, and we specialize in helping New York companies comply with 23 NYCRR 500.If you’d like us to put our expertise to work for you, we’d be happy to help. Call us at 844-315-9882 or use our contact form for a free consultation.