NYS DFS 23 NYCRR 500
The 23 NYCRR 500 is a set of regulations from the NYS Department of Financial Services that places cybersecurity requirements on all covered financial institutions. The document and requirements were released on February 16th, 2017. By March 1, 2018, all organizations must be in compliance with the regulations. These regulations are designed to ensure businesses effectively protect their customers’ confidential information from cyber-attacks. Ill compliance with the rule can incur fines of $250,000 or one percent of total banking assets. Requirements include:
500.02 - Establish an effective cybersecurity program
500.03 - Create and maintain a written cybersecurity policy
500.04 - Designate a chief information security officer (CISO)
500.05 - Perform vulnerability scanning and/or penetration testing
500.09 - Perform regular security risk assessments
500.10-11 - Hire qualified cybersecurity personnel or utilize third-party service providers
500.14 – Provide regular security awareness training for all personnel
500.16 - Establish an incident response plan
500.17 - Submit notification of incidents to the NYS DFS within a 72-hour window
The organizations that have to comply with the requirements of 23 NYCRR 500 include but are not limited to the following:
‣ State-chartered banks
‣ Licensed lenders
‣ Private bankers
‣ Foreign banks licensed to operate in New York
‣ Mortgage companies
‣ Insurance companies
‣ Service providers
Who Is Exempt?
Organizations that employ less than 10 people, produced less than $5 million in gross annual revenue from New York operations in each of the past three years, or hold less than $10 million in year-end total assets are exempt from certain requirements of the Regulation.
For a free consultation on the NYS DFS 23 NYCRR 500 regulations, and to find out how your organization can company – please contact DataSure24 at 716-600-3724 or fill out a contact request form at the bottom of this (and every) page.