23 NYCRR 500 Cybersecurity Regulation
What Is 23 NYCRR 500 Cybersecurity Regulation?
On March 1, 2017, the state of New York rolled out the 23 NYCRR 500 regulation, a law that demands financial companies implement a detailed framework to better protect consumer data privacy.
Whom NYCRR 500 applies to
This law applies to any registered entity providing financial services in the state of New York including:
23 NYCRR 500 requires supervised entities to assess their cybersecurity risk profiles and implement a comprehensive plan that recognizes and mitigates that risk. The law has set a set of requirements to assist organizations in preventing data breaches. Covered organizations need to:
To comply, covered entities must meet the standards set in the law, submit certification of compliance, and, every year following initial compliance, file a set of reports with the Department of Financial Services through the NYDFS website.
23 NYCRR 500: Enforcement and penalties for non-compliance
23 NYCRR 500 is enforced by the NYS Department of Financial Services. The Department of Financial Services has authority to issue a consent order, impose a civil penalty, or revoke the license of a financial institution according to NY Banking law. NY Banking law authorizes up to
1) $2,500 per day during which a violation continues,
2) $15,000 a day in the event of a reckless practice or pattern of misconduct, or
3) $75,000 per day in the event of a knowing or willful violation.