The Regulation

The regulation impacts entities that are deemed "Covered Entities" under the Regulation.
Click here to go to the Regulation
Section 500.2 lays out the cybersecurity program that each covered entity is required to implement and maintain. Each cybersecurity program must be "designed to protect the confidentiality, integrity and availability of the covered entity's informaiton systems and nonpublic information stored on those information systems.

The Section also stated core cybersecurity functions which include:
  1.  identify and assess internal and external cybersecurity risks that may threaten the security or integrity of nonpublic information stored on the covered entity's information systems;
  2. use defensive infrastructure and the implementation of policies and procedures to protect the covered entity's information systems, and the nonpublic information stored on those information systems, from unauthorized access, use or other malicious acts;
  3. detect cybersecurity events;
  4. respond to identified or detected cybersecurity events to mitigate any negative effects;
  5. recover from cybersecurity events and restore normal operations and services; and
  6. fulfill applicable regulatory reporting obligations.



Section 500.3 requires that each covered entity maintain a set of internal policies regarding the protection of its information systems and nonpublic information stored on thsoe information systems, along with a set of procedures that comply with such policy. The regulation requires that the policy be based on the entities own risk assessment, while adressing core competency areas including but not limited to: information security, data governance, device management, access controls, systems and network security and monitoring, risk asssessment, customer data privacy, incident response, and vulnerability management.
500.4 requires covered entities to appoint a CISO to "oversee" and "implement" the entity's cybersecurity program and to enforce its cybersecurity policy.

As per the regulation, a CISO must be "a qualified individual responsible for overseeing and implementing a covered entity's cybersecurity program and enforcing its cybesecurity policy."
500.5 establishes that Covered Entities are required to develop and implement written policies and procedures for vulnerability management that are desgiend to assess and maintain the effectiveness of its cybersecurity program.

  • Ensure that covered entities conduct penetration testing and automated scans of information systems
  • Promptly learn of new security vulnerabilities by having a monitoring process in place
  • TImely remediate vulnerabilities, prioritizing them based on risk their risk
Under 500.6, Covered Entity's are require to maintain systems that

1) are able to reconstruct financial transactions to comply with the regular operations and obligations of the company; and
2) include audit trails that can detect and respond to cybersecurity events that have a reasonable likelihood of materially harming the normal operations

In addition, subsection 1 records are required to be kept for at least 5 years, and subsection 2 records are required to be kept for at least 3 years

Under 500.7, as part of the Covered Entity's Risk Assessment, they are required to create access controls to their systems.
These access controls must, among others, limit access to systems with nonpublic information as well as only permit access to systems on a need-to basis.
Further, these access controls must be periodically review, at least annually to keep them up to date.
Under 500.9, Covered entities are also required to conduct a periodic risk assessment of the covered entity's information systems necessary to inform the design of a cybersecurity program.

Risk Assessments are required to include
1) criteria to evaluate and categorize identified cybersecurity risks or threats facing the covered entity. See NIST CVSS 

2) criteria for assessing the Confidentiality, Integrity, Security, and Availability of the Covered Entity's information systems and nonpublic information. See CIA Triad

3) Requirements describing how identified risks will be mitigated or accepted based on the risk assessment and how the cybersecurity program will addres the risks
The Attorney General of New York has proposed additional regulations to Crypto and Digital Asset business, known as The Crypto Regulation, Protection, Transparency, and Oversight Act. It would impose new requirements on Digital Asset Brokers that operate from or within New York.

Click here to learn more about CRPTO
I BUILT MY SITE FOR FREE USING