What is 23 NYCRR 500?
23 NYCRR 500 refers to a regulation that requires all New York-licensed insurance companies, banks, and other financial services institutions to establish and maintain effective cybersecurity programs to protect consumers and ensure the safety and soundness of New York State’s financial services industry. The regulation was established by the New York Department of Financial Services (NYDFS) and came into effect on March 1, 2017. The rules apply to all regulated entities, regardless of their size or location.
Why 23 NYCRR 500 Exists?
The 23 NYCRR 500 was initiated due to the increase in cyber threats and cyber-attacks targeted at financial services. The regulation exists to protect financial institutions and insurance companies against these attacks with specified guidelines for cybersecurity. It promotes the protection of customer information and the information technology systems of regulated entities from potential online threats.
Who Needs 23 NYCRR 500?
All entities and licensees covered under the NYDFS are required to follow the guidelines detailed in 23 NYCRR 500. This includes financial services institutions, insurance companies, and banks which operate under a license, registration, charter, certificate, or similar authorization under New York banking, insurance, or financial services laws. Also, service providers of these covered entities may need to align their cybersecurity practices with 23 NYCRR 500 requirements, as their client companies must ensure and certify that third-party service providers follow the appropriate cybersecurity standards.
How 23 NYCRR 500 is Used?
23 NYCRR 500 provides detailed guidance for financial institutions to follow in implementing cybersecurity programs. These include setting up a cybersecurity policy, designating a Chief Information Security Officer (CISO), limiting data retention, incorporating encryption for nonpublic information, and setting up an incident response plan. In order to comply, financial institutions must perform regular cybersecurity assessments, and present an annual certification of compliance to the NYDFS.
23 NYCRR 500 in the Context of Cybersecurity
Given the rise in cloud use and DevOps which inevitably expands the cybersecurity threat landscape, 23 NYCRR 500 is increasingly relevant. Protecting cloud infrastructure, managing permissions, ensuring temporary access, and maintaining least privilege access form an integral part of making sure financial institutions are able to protect their sensitive data from cyber threats. Whether it's a SaaS platform or in-house IT systems, all regulated entities should align their cybersecurity program with the 23 NYCRR 500 guidelines.