NEW YORK STATE CYBERSECURITY REGULATIONS (23 NYCRR 500)


New York State is the first state in the nation to announce Cybersecurity regulation to protect New York’s financial services industry and consumers from the ever-growing threat of cyber-attacks. This regulation took effect on March 1, 2017.
The final regulation requires banks, insurance companies, and other financial services institutions regulated by the Department of Financial Services to establish and maintain a Cybersecurity program designed to protect consumers’ private data and ensure the safety and soundness of New York’s financial services industry.
Considering that New York is the financial capital of the world, these protections are designed to help ensure that there are necessary safeguards in place to protect companies and their clients from the serious economic harm caused by potentially devastating cyber crimes.


Who must comply with this law?

All financial institutions under the Department of Financial Services (NYDFS) jurisdiction must comply with these new rules and regulations and we’re here to help.
If you are a banking, insurance or brokerage firm that uses a license to operate in New York, you are required to comply (with some exceptions).



For more information about this new law, please visit: http://ow.ly/J10o309dmXW (Or just Google NYDFS Cybersecurity Regulations)

Deadlines for implementation:
The deadlines starting March 1, 2017 are:

Six months:
  • IT security program and policies (500.02 & 500.03)
  • Access privileges (500.07)
  • Qualified cybersecurity personnel (500.10)
  • Incident response plans (500.16).
One year:
  • CISO reporting to the board of directors (500.04(b))
  • Penetration testing and vulnerability assessments (500.05)
  • Risk assessments (500.09)
  • Multi-factor authentication (500.12)
  • Cybersecurity awareness training (500.14(b)).
18 months:
  • Audit trails (500.06)
  • Application security (500.08)
  • Data retention (500.13)
  • Policies and procedures to monitor the activity of authorized users (500.14(a))
  • Encryption (500.15).
Two years – Third party service provider security policy (500.11).
Our services for compliance with New York State Cybersecurity Regulations

24By7Security, Inc. can provide the required services needed to comply with the new requirements and with a brief conversation with our compliance specialist, your search for help can be over!

We offer a full range of services that will help you get compliant with the New York State Cybersecurity Regulations. Here is an abbreviated list of Cyber/IT Security services we offer (more can be found on our services page):

  • Assessments – FFIEC Cybersecurity Assessment Tool, GLBA, IT Operational Assessments
  • Vulnerability Assessment – Internal, External, Web Application penetration testing
  • Policy & Procedure – Review, Development, and Revisions
  • Incident Response – Policy, Procedure, Run book, Simulation
  • Third-Party Risk Program – Policy, Procedure, Risk Assessment, Annual Survey
  • CISO as a Service – Part-time CISO services depending on the size of the institution.
New York State Cybersecurity Regulations, Wall Street regulators