- October 31, 2017
- SCA Editor
- 632 Views
- 0 Likes
- Blog
What is 23 NYCRR 500?
The Big Picture
The NYDFS Cybersecurity Regulation, 23 NYCRR 500, requires New York banks, financial services companies and insurance companies, including non-New York insurance companies who do business in New York, to perform a Cybersecurity Risk Assessment and to create and maintain a Cybersecurity Program based on the Risk Assessment. This risk-based approach is designed to protect the confidentiality, integrity, and availability of information systems, ultimately protecting consumers and the New York State financial services industry.Taking a Closer Look – Who is Covered?
The NYDFS Cybersecurity Regulation applies to any business regulated by the NYDFS under the Banking Law, Insurance Law or Financial Services Law. These “covered entities” include:- State-chartered banks
- Licensed Lenders
- Private bankers
- Service contract providers
- Trust companies
- Mortgage companies
- Foreign banks licensed to operate in New York
- Insurance companies doing business in New York
- Less than 10 employees
- Less than $5 million in gross annual revenue for each of the last three years from NY business operations, OR
- Less than $10 million in year-end total assets
Taking a Closer Look – What is Required?
The NYDFS Cybersecurity Regulation requires the above-covered entities to create and maintain a Cybersecurity Program based on their Cybersecurity Risk Assessment. The Cybersecurity Program should perform the following functions:- Identify and assess internal and external Cybersecurity risks
- Use defensive infrastructure and the implementation of policies and procedures to protect the Covered Entity’s Information Systems
- Detect Cybersecurity Events
- Respond to identified or detected Cybersecurity Events to mitigate any negative effects
- Recover from Cybersecurity Events and restore normal operations and services
- Fulfill applicable regulatory reporting obligations