23 NYCRR 500: Legislation Specific to New York State

State Regulations for the Cyber Security of Financial Institutions

This is a law specific to businesses operating in the State of New York adopted March 1, 2017, to protect the state from cyber-attacks. The regulation requires banks, insurance companies, and other financial institutions regulated by the State Department of Financial Services to establish and maintain a cyber security program.

Where Can Financial Institutions in New York State Begin?

You’ll want to visit the New York State page on 23 NYCRR 500. Additionally, you will want to become familiar with the requirements of this regulation which include:

  • Maintaining a cyber security program
  • Implementing and maintaining a written cyber security policy
  • Designating a chief information security officer (CISO)
  • Limiting user access privileges around nonpublic information
  • Utilizing and training cyber security personnel
  • Establishing a written incident response plan
  • Sending notices to superintendent upon incident and annually by Feb. 15.

The next deadline is March 1, 2018. By this time, your business will need to have met the following criteria in order to achieve regulation compliance:

  • CISO annual reporting
  • Annual Penetration Testing
  • Bi-annual Vulnerability Assessments
  • Period Risk Assessments
  • Multi-Factor Authentication
  • Regular Cybersecurity Awareness Training

How Can Dox Help Your Business with Regulatory Compliance?

In addition to conducting security assessments and pen testing, Dox has security solutions to assist your business in closing any gaps, securing your network and data, and getting you 23 NYCRR 500 compliant. We even offer cybersecurity awareness training, CISO services, and annual reporting so we can fill that role for your organization on a schedule that meets your needs and fits your budget.

The Final Result of Partnering with Dox Electronics

Our experts deliver the results of your business from a complete analysis of the 23 NYCRR 500 requirements. We can explain whether your company earned a pass/fail rating for each requirement based on the associated controls your organization currently has in place. This becomes a “to-do list” for your business to work on toward compliance before the March 1, 2018, deadline.

No need to worry or feel overwhelmed. Dox also provides outstanding professional services to achieve complete compliance before the deadline.

What Happens If You Don’t Meet the Deadline?

Businesses that fail to meet the deadline may face loss of business and reputation as well as fines.

The Clock is Already Ticking on Regulation Compliance

March is just a few months away, so if you need help conducting an assessment of your business security or meeting the requirements of 23 NYCRR 500 before March 1, 2018, please fill out the contact form below and we will reach out to you as soon as possible.







  • This field is for validation purposes and should be left unchanged.

Don’t get caught off guard. Get regulation compliant with Dox!