Phone Number +1-202-802-9399 (US)
The Lockdown

Thycotic’s Cyber Security Blog

NYS DFS 23 NYCRR PART 500: What is it and when is the compliance deadline?

Written by Thycotic Team

November 9th, 2017

What is DFS 23 NYCRR PART 500?

23 NYCRR PART 500 is a regulation that establishes cybersecurity requirements for financial services companies.

The concept of cybersecurity is nothing new, and regulations or compliance mandates around cybersecurity are nothing new either.  At its core, cybersecurity is all about protecting your organization’s data and network from malicious attackers who will use the internet to gain unauthorized access to sensitive information.

So if we understand that, then we also know this means that any requirements around passwords, data protection, access control, and network authorization would fall into the realm of cybersecurity.  PCI DSS, HIPAA, NIST, and NERC—to name a few—all have some controls in place aimed at protecting data through better network, people, and data controls.

So why is the mandate from the New York State Department of Financial Services so important?

It’s important because this is the first time we’ve had a government mandated (albeit state) regulation centered completely on the end-to-end concept of cybersecurity and everything that it entails.  This can serve as a blueprint for other states and governments to rapidly implement their own cybersecurity regulations.

It’s reassuring to see the state of New York take control into its own hands after the recent wave of breaches that have made the news.  When it comes to the data that financial institutes hold, the cost of a breach could be quite severe—not just for the bank, but costly for the people as well.

It will be interesting to watch financial institutes work to become compliant with this new regulation, especially if any of them are running on outdated/unpatched systems.

We will also be keeping an eye on foreign run banks to see if they will pull their branches out of New York.

So what’s in 23 NYCRR PART 500?

In 2 words—a lot. But a lot of really good stuff.  Everything from multi-factor authentication and application security to access privileges and incident response plans.

What is the timeline for 23 NYCRR PART 500 compliance?

There is no simple answer to compliance dates due to the way that transition periods were implemented (which is a good thing).  The regulation went live on March 1, 2017 and the first round of compliance requirements must have been met by August 28, 2017.  Over the next 2 years, there will be more rounds of dates for when additional sections of the regulation must be complied with.

IT Security should be easy. We’ll show you how.

Try Secret Server and experience how FAST & EASY
IT security products can be.



Like this post?

Get our top blog posts delivered to your inbox once a month.