top of page


The 23 NYCRR 500 is a set of regulations from the NYS Department of Financial Services that places cybersecurity requirements on all covered financial institutions. The document and requirements were released on February 16th, 2017. By March 1, 2018, all organizations must be in compliance with the regulations. These regulations are designed to ensure businesses effectively protect their customers’ confidential information from cyber-attacks. Ill compliance with the rule can incur fines of $250,000 or one percent of total banking assets. Requirements include:

  • 500.02 - Establish an effective cybersecurity program 

  • 500.03 - Create and maintain a written cybersecurity policy 

  • 500.04 - Designate a chief information security officer (CISO) 

  • 500.05 - Perform vulnerability scanning and/or penetration testing 

  • 500.09 - Perform regular security risk assessments 

  • 500.10-11 - Hire qualified cybersecurity personnel or utilize third-party service providers 

  • 500.14 – Provide regular security awareness training for all personnel 

  • 500.16 - Establish an incident response plan 

  • 500.17 - Submit notification of incidents to the NYS DFS within a 72-hour window 

Image by Dmitry Demidko

Which Organizations?

The organizations that have to comply with the requirements of 23 NYCRR 500 include but are not limited to the following:

‣ State-chartered banks

‣ Licensed lenders

‣ Private bankers

‣ Foreign banks licensed to operate in New York

‣ Mortgage companies

‣ Insurance companies

‣ Service providers

Image by Shapelined

Who Is Exempt?

Organizations that employ less than 10 people, produced less than $5 million in gross annual revenue from New York operations in each of the past three years, or hold less than $10 million in year-end total assets are exempt from certain requirements of the Regulation.

For a free consultation on the NYS DFS 23 NYCRR 500 regulations, and to find out how your organization can company – please contact DataSure24 at 716-600-3724 or fill out a contact request form at the bottom of this (and every) page.

bottom of page