23 NYCRR 500: The New Standard for Cybersecurity

By Denisse Stephanie Mira, J.D. Class of 2017 Co-Editor-in-Chief, Journal of Race, Gender, and Ethnicity

On September 13, 2016, New York Governor Andrew Cuomo proposed the first of its kind cybersecurity regulation, 23 NYCRR 500 (the “Regulation”).[1] This Regulation applies to banks, insurers, and financial services regulated by the New York Department of Financial Services (the “DFS”).[2] It was slated to become effective January 1, 2017, but due to public comments concerning small businesses, it was revised and became effective as of March 1, 2017.[3] There is a 180-day grace period for companies to comply with the requirements unless otherwise specified.[4] Under the Regulation, an additional requirement to provide a Certification of Compliance to the DFS will commence on February 15, 2018.[5]

This Regulation has been in the works since 2014, following a series of high-profile data breaches with companies such as Target Corp. and The Home Depot, Inc.[6] The breaches at those companies lead to millions of dollars in losses.[7] Governor Cuomo stated, “[t]hese strong, first-in-the-nation protections will help ensure this industry has the necessary safeguards in place in order to protect themselves and the New Yorkers they serve from the serious economic harm caused by these devastating cyber-crimes.”[8] The Regulation is the first of its kind in the nation because it provides actual rules instead of guidelines. It distinguishes itself from other cyber security regulations like the Gramm-Leach-Bliley Act’s (“GLBA”) privacy rule, which only offers recommendations.[9] If the Regulation’s rules are not followed, the DFS is ominous and broad in how it can seek enforcement and compliance.[10]

In formulating the new regulation, the DFS utilized the information it obtained from polling about 200 regulated banking institutions and insurance companies.[11] The DFS also surveyed a cross-section of those polled and cybersecurity experts, to discuss emerging trends and risks, due diligence processes, and policies and procedures governing relationships with third party service providers.[12]

Who and What 23 NYCRR 500 Covers

The Regulation defines a “Covered Entity” as “any [p]erson operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the [New York] banking law, the insurance law or the financial services law.”[13] Recognizing that certain smaller entities may have difficulty reaching the minimum standard set by the DFS, the Regulation exempts them from some, but not all, of the requirements.[14] The Regulation also directly affects the third-party service providers of those “Covered Entities.” The third-party service providers must comply with the Regulation even if they may not be directly doing business in New York.[15]

The goal of the Regulation is to secure “Nonpublic Information”[16] from abuse, interference and unauthorized access.[17] It includes numerous categories of information that a “Covered Entity” receives either from consumers or about consumers, including information that is considered nonpublic personal information under the GLBA Privacy Rule.[18] Accordingly, the Regulation’s definition of nonpublic information is far broader than what New York’s pre-existing data protection law defines as “personal information.”[19]

Key Points of the Cybersecurity Program for Covered Entities

“Covered Entities” must:

  • Implement a cybersecurity program with written policies and an audit trail.
  • Implement procedures for assessing and testing the security of all internal and external developed applications.
  • Assess risk to non-public information and information systems accessible or held by third-party service providers.
  • Conduct third-party security assessments at minimum annually.
  • Require and provide that all personnel attend regular cybersecurity awareness training.
  • Create and implement controls to protect non-public information.
  • Establish an incident response plan for possible and actual data breaches.
  • The incident response plan must include the identification and precise roles and responsibilities of the individuals who will carry out the actions the response plan specifies.
  • Employ a Chief Information Security Officer (“CISO”) and dedicated cybersecurity personnel.
  • The CISO and cybersecurity personnel can be internal or a third-party service provider.
  • Identify cyber risks and conduct penetration testing at least annually and vulnerability assessment at least quarterly. [20]

Limiting Access to Information and Systems

Under the Regulation, “Covered Entities” will be required to encrypt their “Nonpublic Information” in transit by January, 2018 and their Nonpublic Information at rest by January, 2022.[21]

“Covered Entities” must also require multifactor authentication for remote access to its systems or for privileged access to the servers that contain “Nonpublic Information”.[22] Due to the extent that the Regulation seeks to control “Nonpublic Information,” implementation of those security measures may be expensive. The expense depends on how many platforms the information may be shared on, since each would need to meet the requirements of the Regulation, and any party that has access would need to be trained accordingly to remain compliant.[23]

The Regulation makes “Covered Entities” responsible for the cybersecurity practices of the third parties who hold or can access “Nonpublic Information.”[24] The third parties’ policies and procedures are to be assessed by the “Covered Entity” for any risks that come from using those third parties.[25]

This will be a challenge for the “Covered Entities” as it likely will not have full and direct access to examine or control the cybersecurity program the third party adopts.


Notice of a “Cybersecurity Event” must be sent from the “Covered Entity” to the “Superintendent” within seventy-two hours of its occurrence.[26] The Regulation defines a “Cybersecurity Event” as any attempt or attack “that has a reasonable likelihood of materially affecting the normal operation of the Covered Entity or that affects Nonpublic Information . . .”[27]

This provision creates more of a problem than a solution. A “Covered Entity” may have to report a data breach or attempted breach to the “Superintendent” before the “Covered Entity” has an opportunity to fully assess the nature and extent of the incident. If an entity were allotted more time to address the breach, it would be better equipped to accurately communicate the scope of the event and detail the event’s nature and likely consequences with more precision. Thus, the data collected from the reporting would be more accurate for the DFS’s recordkeeping. These records are what the DFS will use to enforce the Regulation and protect the data that is exchanged.[28]


“Covered Entities” are subject to extensive recordkeeping requirements under the “audit trails.”[29] They must use the information from the “audit trails” to detect any attempted and actual attacks.[30] Such “audit trail” records must be maintained for three to six years depending on the type of data that is collected.[31]

Annual Certification

By February 15, 2018, “Covered Entities” must certify in writing to the Superintendent that they are in full compliance with the Regulation.[32] The record of certification must be maintained for at least five years and made available to the Superintendent upon request.[33]

It should be noted that the backup materials need only be maintained for five years and the audit trail materials must be maintained for three to six years, which suggests that the Superintendent may also use the audit trail as a source of information to search for additional violations.[34]

Individuals who sign the certification may be exposed to personal liability if the “Covered Entity” is ultimately found to be noncompliant.[35] The Superintendent may enforce the Regulation pursuant to her “authority under any applicable laws.”[36]


New York State is taking the lead in establishing these minimum standards for cybersecurity programs, but it is the “Covered Entities” and their third-party service providers that bear the expensive and tedious burden of meeting and keeping to the new standards imposed by the Regulation.

“Covered Entities” must start assessing cybersecurity risks, policies, and procedures to develop or enhance their cybersecurity program and to begin documenting and tracking their compliance efforts so that they can become compliant by August 28, 2017. [37]

Considering the ominous and broad repercussions under Section 500.20 for non-compliance, compliance attorneys and cyber-security firms will be in high demand.

[1]Press Release, Dep’t of Fin. Services, Governor Cuomo Announces Proposal of First-in-the-Nation Cybersecurity Regulation to Protect Consumers and Financial Institutions (Sept. 13, 2016) [hereinafter Press Release].

[2] Id.

[3] Id.

[4] Key Dates under New York’s Cybersecurity Regulation (23 NYCRR Part 500), N.Y. Dep’t of Fin. Services, http://dfs.ny.gov/about/cybersecurity.htm (last visited Apr. 12, 2017).

[5] Id.

[6]Karen Freifeld & Jim Finkle, New York State Cyber Security Regulation to Take Effect March 1, Thomson Reuter (Feb. 16, 2017 4:14 PM), http://www.reuters.com/article/cyber-new-york-idUSL1N1G11F2.

[7] Id.

[8] Press Release, supra note 1.

[9] Gretchen A. Ramos & Larry P. Schiffer, New York Revamps Proposed Cybersecurity Regulation for Financial Services and Insurance Entities, Nat’l Law Rev. (Apr. 11, 2017), http://www.natlawreview.com/article/new-york-revamps-proposed-cybersecurity-regulation-financial-services-and-insurance.

[10] “This regulation will be enforced by the superintendent pursuant to, and is not intended to limit, the superintendent’s authority under any applicable laws.” N.Y. Comp. Codes R. & Regs. tit. 23, § 500.20 (2017).

[11] Press Release, supra note 1.

[12] Press Release, supra note 1.

[13] 23 NYCRR § 500.01(c).

[14] Id. at § 500.19.

[15] Id. at § 500.03(l).

[16] Id. at § 500.01(g).

[17] Id. at § 500.01(g)(1).

[18] See 15 U.S.C. §§ 6801-09 (2011) (showing the categories of information that a “Covered Entity” receives).

[19] Compare 23 NYCRR § 500.01(g)(2), with NY. Pub. Off. Law § 92(7) (McKinney 2011).

[20] See generally 23 NYCRR § 500.

[21] Frequently Asked Questions Regarding 23 NYCRR PART 500, N.Y. Dep’t of Fin. Services (Mar. 13, 2017), http://www.dfs.ny.gov/about/cybersecurity_faqs.htm [hereinafter FAQ].

[22] 23 NYCRR § 500.11(b)(1).

[23] Id. at § 500.14.

[24] Id. at § 500.11.

[25] Id. at § 500.11(a).

[26] Id. at § 500.17.

[27] 23 NYCRR § 500.01(d).

[28] Id. at § 500.06.

[29] Id. at § 500.06.

[30] Id. at § 500.06.

[31] Id. at § 500.06(b).

[32] FAQ, supra note 21.

[33] 23 NYCRR §500.17 (b).

[34] Id. at § 500.02.

[35] “This regulation will be enforced by the superintendent pursuant to, and is not intended to limit, the superintendent’s authority under any applicable laws”. 23 NYCRR § 500.20; see, e.g., N.Y. Bank Law § 672 (West through L.2017, chs. 1-23).

[36] 23 NYCRR § 500.20.

[37] FAQ, supra note 21.




Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s