The New York Cybersecurity Regulation

Geremia Adamo Jr.

Practitioner's Guide
This website is intended to be a practitioner's guide to understanding and complying with 23 NYCRR 500, the Cybersecurity Regulation.
What is 23 NYCRR 500?
In early 2017, the New York Department of Financial Services enacted a regulation enacted a regulation, 23 NYCRR 500, that set minimum cybersecurity standards within the State of New York.

The regulation impacts "Covered Entities," who include all financial institutions, including banks, money managers, and insurance companies among others that conduct business within New York.

These standards require designing and maintaining a cybersecurity program to protect the confidentiality, integrity, and availability of the Information Systems and any Nonpublic Information belonging to consumers. The Regulation mandates a number of additional requirements.

In late 2023, the NYDFS enacted an amendment to the regulation, which mandated a host of new requirements for Covered Entities.

Similar Standards


The NIST Cybersecurity Framework, considered the gold standard for cybersecurity in the US. The Framework provides a set of cyber activities, outcomes, and information common across different internet sectors.NIST provides five elements, or core functions of the framework: Identify; Protect; Detect; Respond; and Recover

NIST Cybersecurity Framework
The General Data Protection Regulation (GDPR) is a legal framework that sets guidelines for the collection and processing of personal information of the European Union (EU) data subjects. The GDPR protects the rights and freedoms of personal information in the attempts to prevent data breaches from occurring.The GDPR also imposes fines on entities that do not maintain compliance with the mandates.GDPR went into effect on May 25, 2018.

General Data Protection Regulation
The FTC's Standards for Safeguarding Customer Information Rule ('Safeguards Rule') was created to safeguard the security of customer information.

The Rule was first enacted in 2003, but subsequently amended in 2021 to accomodate advancements in technology.

The Safeguards Rule covers 'financial institutions,' which are entities that are engaged in an activity that is financial in nature or incidental to such financial activities.
The Rule requires covered financial institutions to develop, implement, and maintain an information security.

Click here to learn more about the FTC Safeguards Rule
Canada's Personal Information Protection and Electronic Document's Act (PIPEDA) applies tocorporations in Canada that "collect, use or disclose personal information in the course of a commercial activity."PIPEDA defines a commercial activirty as "any particular transaction, act, or conduct, or any regular course of conduct that is of a commercial character, including the selling, bartering, or leasing of donor, membership, or other fundraising lists."

Click here to learn more about PIPEDA


DORA, enacted in 2022, is an EU regulation, similar to 23 NYCRR 500, that impacts financial service institutions. DORA focuses specifically on cybersecurity protections for these institutions. Entities covered under DORA have until January 17, 2025 to comply before enforcement begins.

DORA requires financial entities to address cybersecurity complaince for Risk management and governance, incident response and reporting, digital operational resilience testing, and third-party riskmanagement.

Interestingly, similar to 23 NYCRR 500, DORA's guidelines financial entities individually, based on their own existing guidelines. DORA focuses on establishing a "universal framework for managing and mitigating ICT risk" by removing gaps between EU nations.

Also similar to 23 NYCRR 500, Small financial institutions are not held to the same standards as major financial institutions.

Click here to learn more about DORA

The Regulation

The regulation impacts entities that are deemed "Covered Entities" under the Regulation.
Click here to go to the Regulation
Section 500.2 lays out the cybersecurity program that each covered entity is required to implement and maintain. Each cybersecurity program must be "designed to protect the confidentiality, integrity and availability of the covered entity's informaiton systems and nonpublic information stored on those information systems.

The Section also stated core cybersecurity functions which include:
  1.  identify and assess internal and external cybersecurity risks that may threaten the security or integrity of nonpublic information stored on the covered entity's information systems;
  2. use defensive infrastructure and the implementation of policies and procedures to protect the covered entity's information systems, and the nonpublic information stored on those information systems, from unauthorized access, use or other malicious acts;
  3. detect cybersecurity events;
  4. respond to identified or detected cybersecurity events to mitigate any negative effects;
  5. recover from cybersecurity events and restore normal operations and services; and
  6. fulfill applicable regulatory reporting obligations.



Section 500.3 requires that each covered entity maintain a set of internal policies regarding the protection of its information systems and nonpublic information stored on thsoe information systems, along with a set of procedures that comply with such policy. The regulation requires that the policy be based on the entities own risk assessment, while adressing core competency areas including but not limited to: information security, data governance, device management, access controls, systems and network security and monitoring, risk asssessment, customer data privacy, incident response, and vulnerability management.
500.4 requires covered entities to appoint a CISO to "oversee" and "implement" the entity's cybersecurity program and to enforce its cybersecurity policy.

As per the regulation, a CISO must be "a qualified individual responsible for overseeing and implementing a covered entity's cybersecurity program and enforcing its cybesecurity policy."
500.5 establishes that Covered Entities are required to develop and implement written policies and procedures for vulnerability management that are desgiend to assess and maintain the effectiveness of its cybersecurity program.

  • Ensure that covered entities conduct penetration testing and automated scans of information systems
  • Promptly learn of new security vulnerabilities by having a monitoring process in place
  • TImely remediate vulnerabilities, prioritizing them based on risk their risk
Under 500.6, Covered Entity's are require to maintain systems that

1) are able to reconstruct financial transactions to comply with the regular operations and obligations of the company; and
2) include audit trails that can detect and respond to cybersecurity events that have a reasonable likelihood of materially harming the normal operations

In addition, subsection 1 records are required to be kept for at least 5 years, and subsection 2 records are required to be kept for at least 3 years

Under 500.7, as part of the Covered Entity's Risk Assessment, they are required to create access controls to their systems.
These access controls must, among others, limit access to systems with nonpublic information as well as only permit access to systems on a need-to basis.
Further, these access controls must be periodically review, at least annually to keep them up to date.
Under 500.9, Covered entities are also required to conduct a periodic risk assessment of the covered entity's information systems necessary to inform the design of a cybersecurity program.

Risk Assessments are required to include
1) criteria to evaluate and categorize identified cybersecurity risks or threats facing the covered entity. See NIST CVSS 

2) criteria for assessing the Confidentiality, Integrity, Security, and Availability of the Covered Entity's information systems and nonpublic information. See CIA Triad

3) Requirements describing how identified risks will be mitigated or accepted based on the risk assessment and how the cybersecurity program will addres the risks
The Attorney General of New York has proposed additional regulations to Crypto and Digital Asset business, known as The Crypto Regulation, Protection, Transparency, and Oversight Act. It would impose new requirements on Digital Asset Brokers that operate from or within New York.

Click here to learn more about CRPTO

Protection of Information

Protected Information: 500.1(k)

Protected Information: 500.1(k)

Various forms of information are protected under the Cybersecurity Regulation.

Learn More
CIA Triad

CIA Triad

The CIA Triad represents the three pillars of information security: confidentiality, integrity, and availability The triad is a benchmark model for information securrity programs as each attribute represents an important aspect of information security.

Learn More
Confidentiality: NIST SP 800-122

Confidentiality: NIST SP 800-122

The term confidentiality means preserving authorized restrictions on access and disclosure, including means for protecting personal privacy and proprietary information.

Learn More
Integrity: NIST SP 800-59

Integrity: NIST SP 800-59

Integrity means guarding against improper information modification or destruction. and includes ensuring information authenticity

Learn More
Availability: NIST SP 800-137

Availability: NIST SP 800-137

Availability means ensuring timely and reliable access to and use of information

Learn More

Industry Guidance & Letters

On January 12, 2024, The New York State Department of Financial Services issued a cybersecurity alert regarding self-service password reset (SSPR) features. It warned that some organizations' SSPR systems lack secure authentication, which can pose risks. For instance, using email addresses or mobile phone numbers as authentication factors can be vulnerable to attacks such as SIM-swapping. The alert advised implementing layered controls like mobile device management, monitoring SSPR attempts, and limiting user access to SSPR. It also urged regulated entities to report cybersecurity incidents and extortion payments via the DFS Portal.
On December 27, 2023, The New York State Department of Financial Services (DFS) issued guidance to Chief Information Security Officers about a cybersecurity incident involving First American Financial Corporation. First American warned recipients to be cautious of emails purportedly from them, advising against clicking on unknown or suspect links. DFS emphasized the importance of remaining cautious and vigilant with email links and attachments.
On November 15, 2023, The New York State Department of Financial Services issued updated guidance for Virtual Currency Business Entities, incorporating feedback from a public comment period. Key points include obtaining DFS approval for coin-listing policies, providing written notice of self-certified coins, and creating separate coin-delisting policies. VC Entities must meet DFS deadlines for policy submission and adhere to governance, process, and execution standards outlined in the guidance. Additionally, the guidance reminds entities of their obligation to comply with the DFS Cybersecurity Regulation (23 NYCRR Part 500) and other applicable laws and regulations.
On November 14, 2023, The New York State Department of Financial Services (DFS) issued a cybersecurity threat alert regarding the Citrix Bleed vulnerability (CVE-2023-4966) affecting Citrix NetScaler ADC and Gateway products.

This vulnerability allowed cyber actors to take control of affected systems, leading to session hijacking and targeted attacks. Citrix advises immediate installation of recommended builds and termination of active sessions.

Another vulnerability, CVE-2023-4967, has been identified in customer-managed instances of Citrix NetScaler ADC and Gateway. DFS urged regulated entities to assess the risk to their organization and take mitigation measures promptly. Incidents meeting the criteria of 23 NYCRR Section 500.17(a) must be reported via the secure DFS Portal within 72 hours. Additionally, cyber extortion payments must be reported within 24 hours from December 1, 2023, with a description of the rationale provided within 30 days. 
On June 2, 2023, the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (“CISA”) and others announced that Progress Software (“Progress”) had released a security advisory for a vulnerability in MOVEit Transfer—a managed file transfer software.

According to Progress’s website, a SQL injection vulnerability had been found in the MOVEit Transfer web application that could allow an un-authenticated attacker to gain unauthorized access to MOVEit Transfer's database. This vulnerability could lead to escalated privileges and potential unauthorized access to the environment. If you were a MOVEit Transfer customer, Progress recommended taking immediate action, including the mitigation measures listed on their website and patching affected versions. All regulated entities were urged to promptly assess risk to their organization, customers, consumers, and third-party service providers based upon the evolving information and take action to mitigate risk.

Regulated entities must report cybersecurity events that met the criteria of 23 NYCRR Section 500.17(a) as promptly as possible and within 72 hours at the latest via the secure DFS Portal, which could be accessed from DFS’s Cybersecurity Resource Center. DFS considered evidence of unauthorized access to information systems, such as webshell installation, even if there had been no malware deployed or data exfiltrated, a reportable Cybersecurity Event pursuant to 23 NYCRR Section 500.17(a)(2).
On December 10, 2021, a critical vulnerability in Apache's Log4j software was announced by the U.S. Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) and others. This vulnerability, considered one of the most serious to date, allowed for remote code execution. Threat actors were actively exploiting it to deploy ransomware, steal data, and disrupt operations. Regulated entities were urged to assess and mitigate risks promptly, consulting CISA guidance. Reporting such cybersecurity events promptly was emphasized, following criteria outlined in Section 500.17(a) of the New York Codes, Rules and Regulations (NYCRR).






On December 7, 2021, the NYDFS posted guidance on Multi-Factor Authentication (MFA); MFA had long been recognized as a crucial aspect of cybersecurity, even back in 2016 and 2017 when the Department of Financial Services (DFS) drafted the Cybersecurity Regulation. MFA was explicitly required by the Regulation due to its importance, a stance that hasn't changed over time, especially with the rise in cybercrime.
MFA weaknesses have consistently been exploited in cyber incidents, with gaps often found in its implementation or configuration. These gaps have led to consequences, impacting millions of consumers. DFS has been actively enforcing MFA requirements, resolving enforcement actions against companies failing to implement it effectively.

he Cybersecurity Regulation mandates MFA for remote access, emphasizing its necessity in managing unauthorized access risks. Despite exemptions for small businesses, the increase in cybercrime has made MFA indispensable for all entities.

Common MFA problems include legacy systems lacking MFA support, insufficient coverage for key applications, and poor management of exceptions. DFS recommends using MFA for privileged accounts and being cautious of different MFA methods' vulnerabilities.
For small businesses, lacking MFA has made them prime targets for cybercriminals. DFS recommends implementing MFA, offering resources like the Cybersecurity Toolkit for Small Business to facilitate the process.
On October 22, 2021, the DFS published guidance reagrding the adoption of an 'Affiliate's' Cybersecurity Program. The Cybersecurity Regulation permits Covered Entities to adopt “the relevant and applicable provisions” of the cybersecurity program of an affiliate[4] provided that such provisions satisfy the requirements of the Cybersecurity Regulation. 23 NYCRR § 500.2(c). Many Covered Entities are affiliates of other companies – parents, subsidiaries, etc. – and often share information technology and cybersecurity resources and programs with those affiliates. Adoption can occur, for instance, when a DFS-licensed subsidiary uses a shared service provided by the parent corporation. Examples of Covered Entities that have adopted all or part of an affiliate’s cybersecurity program include the New York subsidiary of a national insurance company, a virtual currency entity created by a corporate parent specifically to engage in that business activity, and the New York branch of a foreign bank.

On June 30, 2021, DFS posted guidance regarding the increasing amount of ransomware attacks on US institutions. Ransomware posed a particularly strong concern for financial institutions, with the potential to result in financial crisis. The Department of Financial Services (DFS) underscored the exponential increase in ransomware attacks, which led to a surge in cybercrime costs and impacted the cyber insurance landscape. Despite the escalating ransom payments made by victims, DFS strongly advised against such actions due to associated risks, urging instead the implementation of robust cybersecurity controls outlined in their guidance to mitigate the likelihood of such attacks. These measures encompassed email filtering, patch management, multi-factor authentication, and privileged access management, among others, to bolster resilience against ransomware threats.

DFS emphasized the imperative for institutions to develop comprehensive incident response plans and maintain segregated backups as crucial preparatory measures against potential ransomware incidents. Moreover, DFS highlighted the need for collaborative efforts within the industry to address the evolving ransomware landscape effectively. By adhering to these guidelines and fostering a proactive cybersecurity posture, financial entities could fortify their defenses and minimize the risk of falling victim to ransomware attacks, thereby safeguarding both their operations and the broader financial ecosystem.
 
On March 9, 2021, the DFS posted guidance to Officers of Covered Entities regarding four vulnerabilities found in the Microsoft Exchange server. 
In recent days, thousands of organizations were compromised via zero-day vulnerabilities in Microsoft Exchange Server, despite patches being made available by Microsoft on March 2, 2021. The Department of Financial Services (DFS) urgently advised all regulated entities with vulnerable Microsoft Exchange services to take immediate action by either patching or disconnecting vulnerable servers and utilizing Microsoft's tools to address any compromise resulting from these vulnerabilities. Additionally, the U.S. Department of Homeland Security Cybersecurity & Infrastructure Security Agency (CISA) issued guidance on searching for compromises related to these vulnerabilities.

Microsoft had reported four vulnerabilities affecting on-premises versions of Microsoft Exchange Server, including CVE-2021-26855, CVE-2021-26857, CVE-2021-26858, and CVE-2021-27065, which were actively exploited before the patches were released. CISA recommended immediate patching and advised on preserving forensics of cyber events, highlighting the deployment of web shells by threat actors for persistent network access. Regulated entities were urged to assess the risk to their systems and consumers, track developments related to the compromise, and promptly report cybersecurity events as required by regulation.

Cybersecurity Incidents and Events

Since the original 2017 version of the Cybersecurity Regulation, Covered Entities were required to notify the DFS of any cybersecurity event. See 23 NYCRR 500.1(f), (g).  In the most recent amendment to 23 NYCRR 500, Covered Entities are required to notify NYDFS of a qualifying "cybersecurity incident." See 23 NYCRR 500.1(f), (g).

Cybersecurity Event: any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an Information System or information stored on such Information System 

Cybersecurity Incident: a cybersecurity event that has occurred at the covered entity, its affiliates, or a third-party service provider that:
1) impacts the covered entity and requires the convered entity to notify any government body, self-regulatory agency or any other supervisory body;
2) has a reasonable likelihood of materially harming any material part of the normal operation(s) of the covered entity; or
3) results in the deployment of ransomware within a material part of the covered entity's information systems.

WHY is this important?

The original cybersecurity event definition generally covered malicious attacks on confidentiality, integrity, and availability, it mandates a continuous notification scheme to DFS.

In the recent amendments, cybersecurity incidents do not have to be situations where there was a malicious actor; but rather any flaw found within a Covered Entity's systems that impact the Entity, or have a reasonable likelihood of harming the Entity must not be reported.  

US Financial Institution Cyber Incidents

Click here for a timeline of US-based Financial Institution-based data breaches in the 21st century!

Annual Cybersecurity Certification

Under 500.17, Covered entities must certify with Part 500 by April 15.
In addition, Covered entities must by April 15, also submit to NYDFS either:
i. a Certification of Material Compliance; or
ii. an Acknowledgement of Noncompliance  
Under Section 500.17(b) of the NYCRR:

(b) Annually each Covered Entity shall submit to the superintendent a written statement covering the prior calendar year. This statement shall be submitted by April 15th in such form set forth as Appendix A of this Title, certifying that the Covered Entity is in compliance with the requirements set forth in this Part. Each Covered Entity shall maintain for examination by the Department all records, schedules and data supporting this certificate for a period of five years. To the extent a Covered Entity has identified areas, systems or processes that require material improvement, updating or redesign, the Covered Entity shall document the identification and the remedial efforts planned and underway to address such areas, systems or processes. Such documentation must be available for inspection by the superintendent.
Each Covered Entity must maintain a cybersecurity program designed to protect the Confidentiality,Integrity, and Availability of the Covered Entity's Information Systems. See 500.2


1. Develop and Implement policies and procedures for monitoring and assessing cybersecurity risks
2. Regularly test and update the effectiveness of the cybersecurity program
3. Maintain an inventory of information systems and data
4. Classify the data inventory according to its level of sensitivity
5. Develop and implement policies and procedures for incident response
6. Conduct periodic cybersecurity training for all employees
7. Conuct periodic vulnerability assessments and penetration testing
8. Use defensive infrastructure to protect from unauthorized access, use or malicious acts.
Update incident response plans to be in compliance with the latest Amendment
Determine if you are a class A company
Prepare to comply with new reporting mandates
Revise your cybersecurity program
A Company is defined at 500.1(d) as a Covered Entity with at least $20,000,000 in gross annual revenue in each of the last two fiscal years from all business operations of the covered entity and the business operations in this State of the covered entity’s affiliates and:    
  1. over 2,000 employees averaged over the last two fiscal years, including employees of both the covered entity and all of its affiliates no matter where located; or
  2. over $1,000,000,000 in gross annual revenue in each of the last two fiscal years from all business operations of the covered entity and all of its affiliates no matter where located.
For purposes of this subdivision, when calculating the number of employees and gross annual revenue, affiliates shall include only those that share information systems, cybersecurity resources or all or any part of a cybersecurity program with the covered entity. vered entity with at least $20,000,000 in gross annual

Certificate of Compliance Form
Appendix A to Part 500 of the NYCRR provides the Certification of Compliance Form with the New York State Department of Financial Services Cybersecurity Regulations

In addition, Appendix B provides a form for a "Notice of Exemption"; and enables a Covered Entity to provide notice that they qualify for one of the enumerated exceptions.

Enforcement

The Regulation is enforced by the superintendent of the DFS. See 500.20(a)
  1. The commission of any act prohibited under 23 NYCRR 500
  2. Failure to fulfil any obligation required under 23 NYCRR 500
    • Failure to secure or prevent unauthorized access
    • Material failure to comply for any 24-hour period
See 500.20(b)
Section 500.20(c) provides a number of factors that the DFS considers in determining the penalty for violation.
  • the extent to which the covered entity has cooperated with the superintendent in the investigation of such acts
  • the good faith of the entity
  • whether the violations resulted from conduct that was unintentional or inadvertent, reckless or intentional and deliberate
  • whether the violation was a result of failure to remedy previous examination matters requiring attention, or failing to adhere to any disciplinary letter, letter of instructions or similar
  • any history of prior violations
  • whether the violation involved an isolated incident, repeat violations, systemic violations or a pattern of violations
  • whether the covered entity provided false or misleading information
  • the extent of harm to consumers
  • whether required, accurate and timely disclosures were made to affected consumers
  • the gravity of the violations
  • the number of violations and the length of time over which they occurred
  • the extent, if any, to which the senior governing body participated therein
  • any penalty or sanction imposed by any other regulatory agency
  • the financial resources, net worth and annual business volume of the covered entity and its affiliates
  • the extent to which the relevant policies and procedures of the company are consistent with nationally recognized cybersecurity frameworks, such as NIST
  • such other matters as justice and the public interest require.
Click here to see examples of enforcement actions resulting from violation of 23 NYCRR 500

Legislative History

Publication of 23 NYCRR Part 500 (the "Cybersecurity Regulation")

3/1/2017

The Cybersecurity Regulation Goes Into Effect

3/1/2019

First Amended Cybersecurity Regulation

1/20/2020

Draft Proposed Second Amendment

7/29/2022

Proposed Second Amendment

11/9/2022

Revised Proposed Second Amendment

6/28/2023

Second Amended Cybersecurity Regulation

11/1/2023
I BUILT MY SITE FOR FREE USING