What is the 23 NYCRR 500 Regulation?

In prior blogs, we discussed the rise of data privacy regulations across all industries and how it has been challenging for organizations to stay on top of the varying and conflicting requirements. In this blog, we take a look at New York’s law – 23 NYCRR 500 – that has a high impact on the financial, banking and insurance industries in the U.S.

On March 1, 2017, the state of New York rolled out the 23 NYCRR 500 regulation, a law that demands financial companies implement a detailed framework to better protect consumer data privacy. This is similar to PCI DSS, which also lays out how retailers must demonstrate that they have taken reasonable care to prevent data breaches by following specific processes, installing and maintaining equipment, and reporting.

What is 23 NYCRR 500?

New York State Department of Financial Services (NYDFS) has used its authority under state law to protect consumers and to “ensure the safety and soundness of the institution on behalf of their clients,” to create new regulations around cybersecurity. These apply to any registered entity providing financial services including insurance companies, banks, as well as financial services institutions. The 23 NYCRR 500 is part 500 of the NYDFS’s overall body of regulation.

In short, 23 NYCRR 500 requires supervised entities to assess their cybersecurity risk profiles and implement a comprehensive plan that recognizes and mitigates that risk. Certain regulatory minimum standards have been set to assist organizations in preventing data breaches, including:

• Risk-based minimum standards for information technology systems, including data protection and encryption, access controls, and penetration testing.
• Requirements that a program is adequately funded, overseen by a chief information security officer (which can include a third-party service provider), and implemented by qualified cybersecurity personnel.
• Effective incident response plans that include preserving data in order to respond to data breaches including notice within 72 hours to the NYDFS of material events.
• Accountability provided by identification and documentation of deficiencies, remediation plans, and certifications of compliance on an annual basis.
• Audit trails designed to detect and respond to cybersecurity events.
• Annual reports covering the risks faced, all material events, and the impact on protected data.

What types of organizations must comply?

The NYDFS Cybersecurity Regulation covers any organization that is regulated by the Department of Financial Services. This includes:

• Licensed lenders
• State-chartered banks
• Trust companies
• Service contract providers
• Private bankers
• Mortgage companies
• Insurance companies doing business in New York
• Non-U.S. banks licensed to operate in New York

What are some 23 NYCRR 500 exemptions?

The regulation provides an exemption for organizations with:

• Fewer than 10 employees
• Less than $5 million in gross annual revenue for three years, or
• Less than $10 million in year-end total assets

How does an organization comply?

Organizations had until August 2017 to fully implement requirements, but there was a critical milestone on February 15, 2018 – when the first annual certification demonstrating compliance was due – via submission at the NYDFS website.

A high-level timeline of important 23 NYCRR 500 dates and the checklist items for compliance are listed here:

• March 1, 2017 – Effective date of final 23 NYCRR Part 500.
• August 28, 2017 – 180-day mark: Regulated entities must be in compliance with 23 NYCRR Part 500 unless otherwise noted.
  • To achieve and maintain compliance, by this date a covered entity must:
    • Establish an effective cybersecurity program
    • Create and maintain a written cybersecurity policy
    • Designate a chief information security officer (CISO)
    • Hire qualified cybersecurity personnel or utilize third-party providers
    • Establish an incident response plan
    • Submit notification of incidents to the NYDFS (within 72 hours)
  • February 15, 2018 – Covered Entities must submit their first certification of compliance under 23 NYCRR 500.17(b) on or before this date.
  • March 1, 2018 – One-year mark.
    • To maintain compliance, by this date organizations must:
      • Report: CISO must file cybersecurity report
      • Regularly conduct penetration testing and vulnerability management
      • Conduct bi-annual risk assessments
    • September 3, 2018 – 1.5-year mark. By this date, covered entities must prove they’ve:
      • Maintained an audit trail
      • Implemented application security protocols

For some companies, this is a sizable task to take on. Ultimately, this framework will help them prepare for compliance with other data privacy regulations. However, it is still a reactive approach, and one focused on reasonable care and breach response.

At ARIA Cybersecurity Solutions, we are keenly aware of the struggles companies go through to become and remain compliant with data privacy laws. This is why our focus has been on securing critical data no matter where it resides, how it is used and how it is accessed – and providing tools that let you know when and which protected data records have been breached quickly as well as a complete audit trail and forensic records. This way when the inevitable breach does occur, there is no question about compliance.

Related: Learn More About ARIA SDS Security Services

Specifically, our solution meets the following data privacy compliance requirements:

• Protected data breach reporting within the stringent 72-notification requirement.
• Verifying critical PII data was properly protected by encryption or other advanced security means, rendering it unusable if accessed.
• Detailed reporting that can be used in any legal or auditing proceedings.

Our approach focuses on meeting 23 NYCRR 500’s most challenging requirements. We will dive into the “how” in later posts.