23 NYCRR 500 Cybersecurity regulation
Whom NYCRR 500 applies to
This law applies to any registered entity providing financial services in the state of New York including:
- Licensed lenders
- State-chartered banks
- Trust companies
- Service contract providers
- Private bankers
- Mortgage companies
- Insurance companies doing business in New York
- Non-U.S. banks licensed to operate in New York
Key requirements
Create risk-based minimum standards for information technology systems, including data protection and encryption, access controls, and penetration testing.
Document their cybersecurity policies.
Ensure that their security program is adequately funded.
Designate a chief information security officer (which can include a third-party service provider) and put qualified cybersecurity personnel in charge of its security program.
Create incident response plans that include preserving data in order to respond to data breaches including notice within 72 hours to the NYDFS of material events.
Ensure audit trails designed to detect and respond to cybersecurity events.
Create annual reports covering the risks faced, all material events, and the impact on protected data.
Develop and implement training to make employees aware of the organization’s cybersecurity program.
23 NYCRR 500: Enforcement and penalties for non-compliance
1) $2,500 per day during which a violation continues,
2) $15,000 a day in the event of a reckless practice or pattern of misconduct, or
3) $75,000 per day in the event of a knowing or willful violation.
