AlgoBuzz Blog

Everything you ever wanted to know about security policy management, and much more.

Generic filters
Exact matches only
Search in title
Search in content
Search in excerpt
Filter by Custom Post Type

23 NYCRR 500: What you need to know


If your organization is a financial institution and you operate in New York – or do you plan to in the future, then you come under the jurisdiction of Cybersecurity Requirements for Financial Service Companies recently issued by the New York State Department of Financial Services.

The regulations came into effect on March 1st 2017, and their extended requirements came into force last month, mandating relevant organizations to implement security policies to cover their third-party service providers as well as themselves.

If you aren’t too familiar the requirements, time is of the essence.

Am I covered?

First, you need to understand precisely which entities come under the new requirements. The regulations apply to every ‘covered entity’, which can be an individual, a partnership, a corporation or an association, and includes commercial banks and trust companies, check cashers, domestic and foreign representative bank offices, health insurers, life insurance companies, money transmitters, mortgage broker, loan originators and loan servicers, property and casualty insurance companies, sales finance companies, and service contract providers.

It’s an extensive list, so if you are unclear as to whether your organization is covered, refer to the full requirements here.

What do I need to do?

If your organization does fall under the requirements, there are four main areas that you need to act on:

  1. Conduct a periodic Risk Assessment of all your information systems. You can carry this out internally, or employ a third party to do it for you.
  2. Design and maintain a Cybersecurity Program based on the results of that assessment. Robust network security should be a core part of this program. It should protect the confidentiality, integrity and availability of your information systems, and include defensive infrastructure, policies and procedures to prevent unauthorized access.
  3. Implement and maintain a written Cybersecurity Policy and Third Party Service Provider Security Policy, again based on the results of that risk assessment. Bear in mind that the Cybersecurity Policy must address concerns in alignment with industry best practices and ISO 27001 standards.
  4. Designate a Chief Information Security Officer who takes ultimate responsibility for the Cybersecurity Program and enforcing the Cybersecurity Policy.

While the list might seem short, the technologies, policies and processes required to comprehensively complete these items can be very complex. Your Cybersecurity Program, for example, should include an element of proactivity, either with continuous monitoring or regular penetration testing and vulnerability assessments. It should cover access controls, ensuring that sensitive information is not easily available, and effective controls such as multi-factor authentication or risk-based authentication should be in place to prevent unauthorized access to nonpublic information and systems. You will need to design and implement risk-based policies, procedures and controls for monitoring user activity, and a written incident response plan should be in place. Of course, everything you do should include a thorough audit trail.

When it comes to creating policy in line with the requirements of the ISO 27001 standard, you must ensure it covers: systems and network security, information security, access controls, disaster recovery planning, customer data privacy and regular risk assessments.

How do I report and certify?

Here, there are two key steps. First, your (potentially newly appointed) Chief Information Security Officer needs to report annually to either your board of directors or a senior officer on the implementation and effectiveness of every element covered above. This report should also include a run-through of any material cybersecurity events.

Second, from there the board of directors a senior officer needs to provide a written statement to the New York State Superintendent of Financial Services certifying that the Cybersecurity Program complies with this regulation.

What next?

AlgoSec is well-versed in helping organizations to achieve and maintain compliance with these requirements. By using AlgoSec’s network security policy management solution, organizations can automatically align their network security with the key requirements of ISO 27001 and, crucially, generate a clear and automated audit trail for demonstrating that compliance.

For more details on how AlgoSec can help you address your compliance needs, click here.

Subscribe to Blog

Receive notifications of new posts by email.