New York State Implements Cybersecurity Regulation 23 NYCRR 500

Bob Post, Senior Practice Director, Cyber Risk Advisory, Coalfire

On March 1st, 2017, sweeping new cybersecurity requirements were placed on organizations regulated by the New York State Department of Financial Services. The law applies to a broad set of ‘covered entities’ that are supervised by the NYDFS, including banks, trusts, budget planners, check cashers, credit unions, money transmitters, licensed lenders, mortgage brokers or bankers, and insurance companies that do business in New York. While large entities most likely meet these requirements already -- and very small entities are exempted from some of the requirements --, mid-market firms will be challenged to meet aggressive implementation timelines.

Within the next 180 days, firms must ensure they have a comprehensive Cybersecurity Program in place, supported by written and implemented Cybersecurity Policies. They also need to limit user access privileges to Information Systems providing access to “Nonpublic Information” and must have a formal Incident Response Plan.

All of this is going to be a daunting challenge for many firms. The new regulations also require them to “utilize qualified cybersecurity personnel” who are sufficiently trained and are kept current on cybersecurity risks. And this is just in the first 180 days!

But the law goes even farther. Over the next 12 months, these firms will also have to name a Chief Information Security Officer (CISO), conduct Risk Assessments, Penetration Tests and Vulnerability Scans, implement Multi-Factor Authentication, and train employees. It is going to be a very busy year.  And the Chairperson of the Board or Senior Officer of the company is required to sign and file a Certificate of Compliance in February, 2018. In the coming weeks, we’ll be discussing how mid-market firms – those too large for exemptions but too small to have exiting resources – can approach complying with these regulations. The task is large but not without hope.  And the ultimate goal, better protection of customer and proprietary sensitive data, is one we can all get behind.

Click here for larger view of above table.

Bob Post


Bob Post — Senior Practice Director, Cyber Risk Advisory, Coalfire

Recent Posts

Post Topics



Accounting Agency AICPA Assessment assessments ASV audit AWS AWS Certified Cloud Practitioner AWS Certs AWS Summit bitcoin Black Hat Black Hat 2017 blockchain Blueborne Breach BSides BSidesLV Burp BYOD California Consumer Privacy Act careers CCPA Chertoff CISO cloud CMMC CoalfireOne Compliance Covid-19 credit cards C-Store Culture Cyber cyber attacks Cyber Engineering cyber incident Cyber Risk cyber threats cyberchrime cyberinsurance cybersecurity danger Dangers Data DDoS DevOps DevSecOps DFARS DFARS 7012 diacap diarmf Digital Forensics DoD DRG DSS e-banking Education encryption engineering ePHI Equifax Europe EU-US Privacy Shield federal FedRAMP financial services FISMA Foglight forensics Gartner Report GDPR Google Cloud NEXT '18 government GRC hack hacker hacking Halloween Health Healthcare heartbleed Higher Education HIMSS HIPAA HITECH HITRUST HITRUST CSF Horror Incident Response interview IoT ISO IT JAB JSON keylogging Kubernetes Vulnerability labs LAN law firms leadership legal legislation merchant mobile NESA News NH-ISAC NIST NIST 800-171 NIST SP 800-171 NotPetya NRF NYCCR O365 OCR of P2PE PA DSS PA-DSS password passwords Payments PCI PCI DSS penetration Penetration Testing pentesting Petya/NotPetya PHI Phishing Phising policy POODLE PowerShell Presidential Executive Order Privacy program Ransomware Retail Risk RSA RSA 2019 Safe Harbor Scanning Scans scary security security. SOC SOC 2 social social engineering Spectre Splunk Spooky Spraying Attack SSAE State Stories Story test Testing theft Virtualization Visa vulnerability Vulnerability management web Wifi women XSS