August 28 Deadline Nears for 23 NYCRR 500: Can You Pass the Compliance Test?

Less than three weeks remain for New York financial service companies to meet the initial cyber 23 NYCRR 500 security requirements set forth by the New York Department of Financial Services (NYDFS). As part of a series of rolling deadlines, August 28 is the first major deadline. In our first blog, we discussed which covered entities must comply. Whether your company is on track to fulfill the initial requirements or you’re still playing catchup, you need to be sure that you are prioritizing the right security controls so you aren’t wasting valuable time and resources.

In our first blog about the August 28 23 NYCRR 500 deadline, we discussed which covered entities must comply and outlined the high-level requirements financial institutions should be prioritizing to abide by the NYDFS’ first transition period. Here’s a more detailed breakdown of each section’s requirements:

500.02: Cyber Security Program Development

500.02 requires financial service companies to create and maintain an official cyber security program to protect information systems. Documentation of this program must also be available upon request from the NYDFS. The program shall be designed to protect the confidentiality, availability, and integrity (CIA) of the entities’ information systems, and shall be based on the entities’ risk assessment. It should also address the following requirements:

  • Identify and assess internal and external risks to new product introduction (NPI);
  • Leverage defensive infrastructure, policies, and procedures to protect against; unauthorized access and other malicious acts;
  • Detect cyber security events;
  • Respond to identified or detected cyber security events;
  • Recover from a cyber security event and restore normal operations and services; and
  • Report and fulfill applicable regulator reporting obligations.

500.03: Documentation of Cyber Security Policies

Based on the entities’ risk assessment, different policies need to be established for:

500.04(a): Chief Information Security Officer

All parties must designate a qualified chief information security officer (CISO) to lead the cyber security program.

500.07: Access and Privileges

Financial organizations are required to create processes and procedures to limit access and review privileges to nonpublic information.

500.10 Cyber Security Training

All cyber security personnel should receive ongoing cyber security awareness training for properly monitoring authorized users, detecting unauthorized users, and handling nonpublic information.

500.16: Incident Response Plan

A written incident response plan should:

  • Address internal processes for responding to a cyber security event;
  • Outline goals of the incident response plan;
  • Define clear roles, responsibilities, and decision-making authority;
  • Plan external and internal communications, and information sharing;
  • Identify requirements for the remediation of any known weaknesses in information systems and related controls;
  • Document and report requirements regarding a cyber security event and incident response activities; and
  • Re-evaluate and revise the incident response following a cyber security event.

500.17: Reporting

All annual reporting and cyber security event notifications need to be directed to the NYDFS superintendent. Notice needs to be delivered as soon as possible but no later than 72 hours.

Consider These Last-Minute Implementation Challenges

The requirements above are foundational pieces of a healthy cyber security program. Each requirement emphasizes the need to identify and support security professionals within the firm, in addition to documenting and enforcing policies that should be adopted to secure your organization’s nonpublic information.

All of these requirements take some time to set up, but in the case of the cyber security program and incident response plan development, there are a lot of other steps involved, including verifying that your security controls and access controls are effective. Even if you’re confident you can develop the procedures and policies in-house, it’s difficult prove you can meet response, recovery, and reporting requirements without having gone through an actual incident or live drill.

That’s why enlisting the help of dedicated cyber security professionals to not only develop but test an incident response plan is so important. These subject matter experts can even help to verify that your program is built to handle the upcoming battery of compliance tests. After all, when it comes to the reporting process, regulators will want clear proof to meet compliance standards.

These requirements should not only be an effective means of understanding processes and procedures, but they should also help establish a security-conscious culture among the workforce to aid in the prevention of cyber security events. A team effort is involved to stay compliant.


Depending on your organization’s current information security maturity, it may be well prepared to meet the 23 NYCRR 500 people and process requirements. For organizations that are looking to build their security programs independent of third-parties, we offer some tips to consider while establishing a security program.

If your organization is still scrambling to fulfill the requirements outlined above, Delta Risk provides advisory and consulting services that will help address each of the obligations. In fact, our infographic depicts where each section of the regulation could be supported, including monitoring, cyber training, and risk assessments. You can also check out our blog on the differences between the 23 NYCRR 500 regulation and other regulations.