23 NYCRR 500

In March 2017, the New York State Department of Financial Services (DFS) implemented a new set of cybersecurity requirements for financial services companies. This NYS law supersedes and complements existing regulations that govern Financial Services enterprises that operate in the state. The new requirement is formally known as Title 23, Part 500, of the New York Codes, Rules and Regulations (NYCRR). Title 23 refers to Financial Services and Part 500 is the Cybersecurity Requirements for those Financial Services companies. It is more commonly known as 23 NYCRR 500.

 

The 23 NYCRR 500 requirements are more stringent than the regulatory regime that preceded its introduction. There are many differences to existing regs, but specifically some differences stand out. First off, NYS DFS requires that Financial Services organizations have a CISO, which will affect a surprisingly significant proportion of organizations. Secondly, the 23 NYCRR 500 stipulates controls for all business-relevant data, not only PII (personally identifiable information), with much more far-reaching consequences for controls. Also, the NYS DFS demands specific application security controls for internal development and application development by third parties. This requires some app dev security standards, such as the CISQ Security Standard, to be implemented as acceptance criteria for outsourced ADM work.

Lastly, the implications of the new NYS DFS requirement are far more potent than most Financial Services regulations. Typically, companies can take a penalty in lieu of compliance if they judge the cost of compliance to be too high. These penalties are a nuisance, and a slight deterrent, but not truly noticeable on the bottom line. The 23 NYCRR 500 allows NYS DFS to shut down an organization’s business in the State of New York. This has far more damaging consequences for the business, and will much more rigorously drive compliance.

Overall, the NYS DFS has taken a forward-looking step in terms of regulating the cyber security and resilience of our Financial Services infrastructure. This set a new high watermark for compliance and will pull the industry to build more secure infrastructure.