NY Cybersecurity Rule 23 NYCRR 500: The Regulation

The New York State Department of Financial Services (NYDFS) has issued an updated version of its proposed Cybersecurity Requirements For Financial Services Companies, known as 23 NYCRR 500.

These guidelines require banks, insurers and other financial services companies regulated by the NYDFS to set up a cybersecurity program aimed at protecting consumer information from being compromised or stolen.

The impact of the regulation is much broader than just New York State.

Non-U.S. insurers and reinsurers in particular will want to confirm if the proposed regulation applies to them – whether with respect to excess lines insurers, “trusteed” or “certified” reinsurers.

Ny Cybersecurity Rule


Let Us Help You Achieve Compliance

TBG Security consultants have been helping customers comply with State and Federal business and privacy regulations for more than a decade.

Working as either a full-service consultant, or as an adjunct to your in-house teams, TBG Security will execute our phased compliance readiness process to ensure that your business meets or exceeds your compliance requirements.

Services include:

  • Creating a comprehensive information security policy.
  • Performing an audit to determine current level of regulatory compliance.
  • Providing remediation for vulnerabilities detected on your systems.
  • Advising your company on specific steps needed to achieve compliance.
  • Deploying security infrastructure to encrypt email messages automatically.
  • Encrypting your company’s laptops and other mobile devices.
  • Securing your primary security infrastructure, including firewalls, VPN access, anti-phishing, and tools to protect against malicious code.

What If I Don’t Comply?

In the past the DFS has imposed steep fines on Covered Entities (and/or demanded the termination of compliance officers) that allegedly failed to implement and maintain appropriate policies and procedures in other contexts – such as with anti-money laundering compliance programs.


NY Cybersecurity Rule (23 NYCRR 500)

Regulation type: State and Federal standards

Governing body: The New York State Department of Financial Services (NYDFS)

The regulation: NY Cybersecurity Rule (23 NYCRR 500)  (also known as the ““Cybersecurity Requirements For Financial Services Companies”)

Purpose: This regulation is designed to promote the protection of customer information as well as the information technology systems of regulated entities.

This regulation requires each company to assess its specific risk profile and design a program that addresses its risks in a robust fashion.
Senior management must take this issue seriously and be responsible for the organization’s cybersecurity program and file an annual certification confirming compliance with these regulations.

Who must comply:
EVERY bank, ensurer and other financial services company regulated by the NYDFS.


Get In Touch

Need more information? We’re here to help.

Contact us