Director, Security Advisory Services

March 1, 2017 marked the date in which the NYS Department of Financial Services announced their compliance requirements for all covered entities that do business in New York State. A covered entity, as defined by the NYS DFS, is “any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.”  This regulation is also extended to third parties that process, store, and/or transmit information in concert with the defined “covered entities.”

Detailed information regarding this regulation can be found on the NYS DFS website;

There are a total of 16 requirements that organizations must be compliant with, or have a written justification and approval for, by March 1, 2019, and a schedule of specific deadlines by which companies need to accomplish them. 

Where are we now?

On August 28, 2017, the first transitional period for covered entities to become compliant came to an end. This benchmark focused on seven of the 16 requirements. At this point organizations should have the below in place.

  • 500.02 – Creation of an information security program
  • 500.03 – Documentation of cyber security policies
  • 500.04 – Designate a CISO to lead cyber security program
  • 500.07 – Create a process/procedure to limit access and review privileges to nonpublic information
  • 500.10 – Provide cyber security training for cyber security personnel
  • 500.16 – A written incident response plan
  • 500.17 – Notification of cyber security event and annual reporting to superintendent

Next Steps

The next major benchmark for 23 NYCRR 500 compliance is March 1, 2018. By this deadline, organizations should have the following in motion:

  • Designated Chief Information Security Officer in seat and operating
  • Penetration Test and Vulnerability Assessments
  • Risk Assessments
  • Multifactor Authentication to access nonpublic information
  • Holistic Cyber Security Awareness Program

Many organizations have spent the majority of the past six months strengthening their internal policy and procedural documentation.  Setting these administrative controls upfront is critical to ensure that the implemented technical controls tie back to the administrative reference. This will set the organization up for success in complying with this regulation, and ultimately minimize business risk.   

ePlus has created this helpful eBook to help you navigate the changes in the regulatory landscape

The ePlus team of security experts is a here assist your organization, offering assessments of your current security program as we traverse 23 NYCRR 500 together from a Strategic Assessment to a tailored Remediation Plan to ensure we minimize organizational risk. Contact us for more information or sign up for an assessment today:



Load more comments
Thank you for the comment! Your comment must be approved first
* Required

Related Posts


Ready To Begin? Contact Us Today.

Request A Presentation