NuHarbor Security
  • Solutions
    Solutions
    Custom cybersecurity solutions that meet you where you are.
    • Overview
    • Our Approach
    • Data Icon Resources
    • Consultation Icon Consult with an expert
    • By Business Need
      • Identify Gaps in My Cybersecurity Plan
      • Detect and Respond to Threats in My Environment
      • Fulfill Compliance Assessments and Requirements
      • Verify Security With Expert-Led Testing
      • Manage Complex Cybersecurity Technologies
      • Security Monitoring With Splunk
    • By Industry
      • State & Local Government
      • Higher Education
      • Federal
      • Finance
      • Healthcare
      • Insurance
    Report 2022 SLED Cybersecurity Priorities Report
    2022 SLED Cybersecurity Priorities Report
    Read Report
  • Services
    Services
    Outcomes you want from a team of experts you can trust.
    • Overview
    • Data Icon Resources
    • Consultation Icon Consult with an expert
    • Security Testing
      • Infrastructure Penetration Testing
      • Application Penetration Testing
      • Vulnerability Scanning
      • Wireless Penetration Testing
    • Assessment & Compliance
      • CMMC Compliance
      • NIST 800-53
      • HIPAA Security Standards
      • ISO 27001
      • MARS-E Security Standards
      • New York Cybersecurity (23 NYCRR 500)
      • Payment Card Industry (PCI)
    • Advisory & Planning
      • Security Strategy
      • Incident Response Planning
      • Security Program Reviews
      • Security Risk Assessments
      • Virtual CISO
      • Policy Review
    • Managed Services
      • Managed Detection and Response (MDR)
      • SOC as a Service
      • Vulnerability Management
      • Vendor Security Assessments
      • Curated Threat Intelligence
      • Zscaler Support Services
    Report 2022 SLED Cybersecurity Priorities Report
    2022 SLED Cybersecurity Priorities Report
    Read Report
  • Partners
  • Resources
    Resources
    Explore reports, webinars, case studies, and more.
    • Browse Resources
    • Consultation Icon Consult with an expert
    • Blog icon Blog
    • Podcast icon Podcast
    • Annual SLED CPR icon Annual SLED CPR
    • Downloadable Assets icon Downloadable Assets
    Report 2022 SLED Cybersecurity Priorities Report
    2022 SLED Cybersecurity Priorities Report
    Read Report
  • Company
    Company
    We do cybersecurity differently – the right way.
    • Overview
    • Data Icon Resources
    • Consultation Icon Consult with an expert
    • Leadership
    • News
    • Careers
    • Contact
    Report 2022 SLED Cybersecurity Priorities Report
    2022 SLED Cybersecurity Priorities Report
    Read Report
  • Consult with an expert
  • Careers
  • Contact
1.800.917.5719
NuHarbor Security Blog
    • Compliance
    • Cybersecurity Technology
    • Security Operations
    • Industry Insights
    • Security Testing
    • Application Security
    • Managed Detection and Response
    • Advisory and Planning
    • Threat Intelligence
    • NuHarbor
February 7, 2017

New York cybersecurity requirements for financial services institutions, 23 NYCRR 500

NuHarbor Security

Updated: 11/02/2017

A New Standard, 23 NYCRR 500

New York State is implementing broad-reaching regulations to protect its financial institutions. Titled “Cybersecurity Requirements for Financial Services Companies”, this set of regulations builds on NIST 800-53 to require institutions to implement security best practices. Specific only to financial institutions at this time, the Department of Financial Services is setting a precedent that other sectors can follow in the future.

So, who must comply with 23 NYCRR 500? Currently, any large institution supervised by the New York State Department of Financial Services. This comprises many of the world’s leading financial institutions—from insurance companies, banks and charitable foundations, to mortgage brokers. Not included are institutions with fewer than 10 employees, less than $5 million in gross revenue in the last three years, or less than $10 million in year-end total assets. These institutions must instead file a Notice of Exemption with NYDFS.

Why implement these new regulations? Simply put, consumers are protected when financial institutions are vigilant in securing their data. NYCRR is also acting as a guide to other states and institutions looking to stay ahead of the curve.

NuHarbor Can Help

A 300-person insurance company in New England used outmoded systems that unknowingly put their company and clients at risk. A new Technology Officer utilized 23 NYCRR 500 as an example of potential future regulations that the company did not currently meet. NuHarbor Security delivered a suite of integrated services:

NIST Controls Assessment measured the current environment to align it with current frameworks.

External Pen Testing revealed potential attack vectors that the client remediated.

Risk Assessment helped develop policies and procedures for the...

Risk Management Program that NuHarbor developed.

Vendor Management assesses each service provider’s security poise.

Not One Size Fits All

There is no “cookie-cutter” approach to security. Each institution needs a unique organizational structure designed to ensure confidentiality, integrity, and availability of data. Prior to publication of these new rules, the New York State Department of Financial Services researched over 150 companies’ current security methodology. This research resulted in five core principles for the new regulations:

Establishment of a Cybersecurity Program
Adoption of security policy and procedure
Role of CISO (Chief Information Security Officer)
Monitoring Third-Party Service Providers
Additional items relating to security best practice

Implementation of these core principles is set as a “certain regulatory minimum standard while maintaining flexibility so that the final rule does not limit industry innovation and instead encourages firms to keep pace with technological advances.”

A first draft of this legislation was released in September of 2016. It has since gone through a public comment period, and an updated version was published on December 28, 2016. The latest version requires compliance beginning March 1, 2017. There is some flexibility with the revised regulations, but many institutions will find that implementation has a steep learning curve.

We are pleased to help break down these regulations specifically to your needs. Some of the regulations are best outsourced to professionals while others are best implemented and overseen in-house.

Crital Dates:

(from NYDFS http://www.dfs.ny.gov/about/cybersecurity.htm)

March 1, 2017
23 NYCRR Part 500 becomes effective.

August 28, 2017
180 day transitional period ends. Covered Entities are required to be in compliance with requirements of 23 NYCRR Part 500 unless otherwise specified.

October 30, 2017
Extended deadline for filing Notice of Exemption required by 23 NYCRR 500.19(e)

February 15, 2018
Covered Entities are required to submit the first certification under 23 NYCRR 500.17(b) on or prior to this date.

March 1, 2018
One year transitional period ends. Covered Entities are required to be in compliance with the requirements of sections 500.04(b), 500.05, 500.09, 500.12 and 500.14(b) of 23 NYCRR Part 500.

September 3, 2018
Eighteen month transitional period ends. Covered Entities are required to be in compliance with the requirements of sections 500.06, 500.08, 500.13, 500.14(a) and 500.15 of 23 NYCRR Part 500.

March 1, 2019
Two year transitional period ends. Covered Entities are required to be in compliance with the requirements of 23 NYCRR 500.11. New York.

Included Topics

  • Compliance

Related Posts

1 min read
NuHarbor Security opens Denver Colorado Office
Read More
Compliance 2 min read
The Difference Between a Controls Assessment and a Risk Assessment Read More
Compliance 4 min read
NIST Cybersecurity Framework Version 1.1 Changes Read More

Subscribe via Email

Subscribe to our blog to get insights sent directly to your inbox.

Subscribe Here!

Latest Pwned episodes

Episode 188 - Safe, Secure, and Trustworthy. Pwned on the President’s AI Executive Order
December 05, 2023
Episode 188 - Safe, Secure, and Trustworthy. Pwned on the President’s AI Executive Order
Listen Now
Episode 187 - Pwned Making the Case for Judicial Security
November 22, 2023
Episode 187 - Pwned Making the Case for Judicial Security
Listen Now
Episode 186 - The Acquisition of Revelstoke
November 01, 2023
Episode 186 - The Acquisition of Revelstoke
Listen Now
NuHarbor Security logo
NuHarbor Security

553 Roosevelt Highway
Colchester, VT 05446

1.800.917.5719

  • Solutions
  • Services
  • Partners
  • Resources
  • Company
  • Contact
  • Privacy Policy
Connect
  • Twitter
  • Linkedin
  • YouTube
©2023 NuHarbor Security. All rights reserved.