23 NYCRR 500 Cybersecurity regulation

On March 1, 2017, the state of New York rolled out the 23 NYCRR 500 regulation, a law that demands financial companies implement a detailed framework to better protect consumer data privacy.

Whom NYCRR 500 applies to

This law applies to any registered entity providing financial services in the state of New York including:

  • Licensed lenders
  • State-chartered banks
  • Trust companies
  • Service contract providers
  • Private bankers
  • Mortgage companies
  • Insurance companies doing business in New York
  • Non-U.S. banks licensed to operate in New York

Key requirements

23 NYCRR 500 requires supervised entities to assess their cybersecurity risk profiles and implement a comprehensive plan that recognizes and mitigates that risk. The law has set a set of requirements to assist organizations in preventing data breaches. Covered organizations need to:

  • Create risk-based minimum standards for information technology systems, including data protection and encryption, access controls, and penetration testing.

  • Document their cybersecurity policies.

  • Ensure that their security program is adequately funded.

  • Designate a chief information security officer (which can include a third-party service provider) and put qualified cybersecurity personnel in charge of its security program.

  • Create incident response plans that include preserving data in order to respond to data breaches including notice within 72 hours to the NYDFS of material events.

  • Ensure audit trails designed to detect and respond to cybersecurity events.

  • Create annual reports covering the risks faced, all material events, and the impact on protected data.

  • Develop and implement training to make employees aware of the organization’s cybersecurity program.

To comply, covered entities must meet the standards set in the law, submit certification of compliance, and, every year following initial compliance, file a set of reports with the Department of Financial Services through the NYDFS website.

23 NYCRR 500: Enforcement and penalties for non-compliance

23 NYCRR 500 is enforced by the NYS Department of Financial Services. The Department of Financial Services has authority to issue a consent order, impose a civil penalty, or revoke the license of a financial institution according to NY Banking law. NY Banking law authorizes up to
1) $2,500 per day during which a violation continues,
2) $15,000 a day in the event of a reckless practice or pattern of misconduct, or
3) $75,000 per day in the event of a knowing or willful violation.
Image

Get the latest from Hyperproof

Stay ahead of the risk and compliance curve. Get the latest regulation updates and analysis, guidance on achieving continuous compliance, and exclusive opportunities. Sign up for Hyperproof's bimonthly newsletter.
Stay in-the-know