Priority Email & Tech Support. Our U.S. based priority support team delivers direct access for immediate resolution of IT issues. No ticket queues.
23 CRR-NY 200: A Guide to Cybersecurity Requirements
23 CRR-NY 200: A Guide to Cybersecurity Requirements
New York’s Department of Financial Services (DFS) has rolled out a series of cybersecurity requirements involved when operating in the crypto currency space in 23 NYCRR Part 200. Today, will review sections 200.16 and 200.17 of 23 NYCRR Part 200 for cybersecurity requirements and a provide a general outline for meeting compliance. BitLicenses are required by DFS for any business involved with virtual currency activities, and DFS expects every BitLicense holder to meet the strict requirements outlined by 23 NYCRR Part 200.
Who needs to follow 23 CRR-NY 200?
TDLR; every BitLicense holder.
A BitLicense is issued by DFS to any individual or company engaged in virtual currency activities. DFS expects every BitLicense holder to meet or exceed the strict requirements outlined by 23 NYCRR Part 200, in addition to policies, management, laws, rules, and other regulations that comes with maintaining the license.
- BitLicenses are examined at least once every 2 calendar years.
General Overview of the Cyber Requirements in NYCRR Title 23, Part 200
TLDR; NIST Framework as a general outline and meet the requirements of NYDFS 23 CRR Part 500.
Following NIST framework is an excellent starting point for meeting the requirements outlined under 23 CRR-NY 200. NIST Cybersecurity Framework (CSF) 2.0 is a framework to help organizations reduce their cybersecurity risks. NIST breaks down into 5 categories, each needing their own set of technical controls, administrative controls, and policies to go along side it.
The cyber requirements of NYSDFS Part 200 aligns with NIST Framework’s core functions. The framework is broken down into the following functions:
Identify: Catalog internal & external cyber-risks by mapping data, sensitivity, users, and access paths.
Protect: Shield systems and data from unauthorized use.
Detect: Spot intrusions, malware, and violations fast.
Respond: Contain and mitigate incidents.
Recover: Restore normal operations quickly.
Now, when it comes to aligning with NIST, there is no base checklist to follow. The process starts with a coordinated team of IT experts, or a CISO that has the understanding of your network, your cloud resources, and your current IT systems in place at your organization. With that information, they can begin the process of noting and documenting what controls need to be implemented.
We can rattle off a few things such as a system inventory list, zero trust architecture and enforcements for MFA, enforcements with encryption at rest and in transit, least privilege, AAA controls, SIEM, IDP/IDS, EDR protection, and a strong next generation firewall – but no two networks or organizations are the same! This is where NIST Framework helps to align your organization with the best practices. Each new control must be configured professionally and tailored to your organization.
DFS officials stated that they evaltuate a BitLIcensee’s cybersecurity program with a focus on the requirements of NYCRR Part 500 Cybersecurity Requirements for Financial Services Companies (Part 500).
In practice, the Part 500 certification alone does not meet the Part 200 requirement. – DFS Report 2022-S-18
Review Cyber Policy Documentation Requirements
Let’s start with the following documents and policies. Your cybersecurity policy should be approved by the board annually. At a general level, Part 200 is looking for the following policies and procedures documentation.
“policies and procedures for the protection of its electronic systems and customer and counterparty data stored on those systems, which shall be reviewed and approved by the licensee’s board of directors or equivalent governing body at least annually. The cyber security policy must address the following areas:”
Information-security program overview or a WISP
A Written Information Security Program (WISP) is a comprehensive document.
Data governance & classification policy
Data governance and classification is the way you identify data on a system, this policy should be included in your cyber program.
Access control policy
An access control policy will define who, how, and what has access to your information security systems.
Business disaster recovery plan (BDR,BC/DR)
Your disaster recovery plan should be included within your cyber program, overviewing who to call, what form of notifications should be made, how systems are to be restored and the order in which they will, as well as the time for recovery of these critical systems.
Systems operations & availability
Availability refers your IT systems and how they will continue to function during an outage.
Physical security & environmental controls
Various physical security controls will need to be implemented, such as a 24/7 key door entry system. These should be included in your cyber program.
Customer-data privacy policy
A customer data privacy policy should be visible on your public website, as well as included in your cyber program.
Vendor / third-party risk management
Third party vendors must be upheld to the same cybersecurity standards as your employees in most cases, and when handling sensitive data these vendors must utilize the same secure methods to connect and browse that data.
Incident response plan
An incident response plan is a run down of what happens, who to contact, and the steps for recovery, as well as notifications when a security incident occurs. They are sometimes referred to as SIRP policies.
Monitoring & change management of core protocols
As your network, vendors, and policies change, your change management plan must remain up to date. Monitoring in most cases must be 24/7 for information security systems.
Audit-trail retention & protection plan
Audit trails must be maintained for no less than five years, in most cases.
Compliance reporting
Reporting should be outlined, who is responsibile and how often reporting must be completed.
Follow The Cyber Program Compliance Requirements
A major requirement under Part 200 that is not required under Part 500 is the CISO requirement to submit and present an annual report. "Part 200 requires a BitLicensee to submit an annual report prepared by the Chief Information Security Officer (CISO) and presented to the board of directors. "This must assess the availability, functionality, and integrity of BitLicensee's electronic systems, identify relevant cyber risks to the licensee, access the cybersecurity program, and and proposing steps to address any inadequacies identified"
In practice, the Part 500 certification alone does not meet the Part 200 requirement. - DFS Report 2022-S-18
Understand Training and Staff Requirements
Your staff should consist of cybersecurity professionals in-house or outsourced as a managed security service provider(MSSP) that can cover all five NIST functions. Section 23 200.16 also expresses the need for cyber training and countermeasures to be implemented when new cyber threats are discovered.
(3) require key cyber security personnel to take steps to stay abreast of changing cyber security threats and countermeasures.
|
23 CRR Part 200 requires a qualified CISO who is responsible for implementing the cybersecurity program and enforcing its cyber security policy. The CISO must submit a report to the board at least annually reviewing the availability, functionality, and integrity of the cyber security program.
Technical Information
TLDR; BitLicensees are required to adopt a rigorous cyber program, extensive BC/DR planning, and an annual CISO or vCISO report presented to the board of directors.
Service Information
Control Type
Cybersecurity Regulation
Industry
Financial Services
Enforced By
New York State Department of Financial Services
Regulation Location
New York, USA
Regulatory Information
Certification Date
Bi-annually
Documentation
DFS Resource Center
DFS Resource Center
$0
Average IT Budget Savings
Expert guidance on strategic tech adoption from a team with 14 years in the MSP space.
- How Everything Works Together
Integrating Your Security Ecosystem
Think of your cyber program as a living ecosystem. Every tool, technical control, and policy is tailored based upon your risk, budget, and regulatory posture. This creates defense in depth with a goal to lower your attack vectors and provide real time monitoring of threats and bad actors within your network.
- Financial Services
- Healthcare
- Legal
Financial Services
- Cybersecurity,
- Compliance
Optimize IT spend while scaling securely in high-stakes environments.
Our solutions for financial institutions are designed to reduce risk, secure sensitive data, and enable scalable, compliant growth. We bring structure, visibility, and accountability to every layer of your cybersecurity and infrastructure strategy.
Strategic prevention. Multi-layered defense that protects users, data, and systems.
Financial Data Protection
Our team has vast experience with NYSDFS 23 NYCRR Part 500 and 200. From implementing IT systems with documentations and logs that prove compliance, to providing expertise as your vCISO to the senior board, we ensure that your organization remains secure, audit ready, and risk free.
Risk Reduction Strategies
We evaluate the availability, functionality, and integrity of your existing cybersecurity program by conducting a vulnerability assessment. We work to minimize risks by reducing the attack surface and implementing 24/7 alerting to stay ahead of patterns and behaviors that may indicate a bad actor or threat is being attempted on your network, or from a malicious email.
Hardened Infrastructure
We design and maintain secure, high-performance IT environments that protect critical systems without compromising speed. From firewalls and segmentation to patching and access controls, every component of your infrastructure is built for endurance, reliability, and regulatory confidence.
Strategic Leadership
We can be leveraged to provide the roadmaps, oversight, and executive accountability you need to build a mature, compliant, and effective security ecosystem. Our staff includes a certified Encompass Administrator with deep expertise in the mortgage industry.
Priority Email & Tech Support
Our U.S.-based priority support team delivers direct access to senior engineers for immediate resolution of IT or cybersecurity issues. No ticket queues. No waiting. Just fast, reliable, white glove support when it counts most. Our team works as an extension of your company, with support only a text away to resolve most tech issues.
Email Encryption / Security
Email is still the #1 attack vector. Explore solutions for SMARC, SPF, DKIM, encryption for outbound / inbound emails, spam filtering, and malware protection.
Antivirus & Endpoint Protection
EDR (Endpoint Detection & Response) tools to stop malware, ransomware, and zero-day attacks in real time.
Regulatory Expertise
Deep understanding of the complex compliance landscape in finance.
Zero Trust Architecture
Controls that deny any unknown devices from accessing company resources. Controls to enforce location based logins, cyber baselines on devices, and advanced logging.
Multifactor Authentication
Multifactor adds an additional layer of security to your accounts, helping to prevent phishing attempts or leaked passwords from leading to breaches.
Data Protection
Testing applications, shared data on your network, the way network devices transmit data, and their connections to third party applications.
Request an Advanced Security Assessment
Every control reinforces the next, building a cohesive security ecosystem that stops breaches cold.
Healthcare
1+
Priority Email & Tech Support. Our U.S. based priority support team delivers direct access for immediate resolution of IT issues. No ticket queues.
Protecting the Data That Powers Care.
In healthcare, every second matters. Every byte of data carries a legal and ethical responsibility. Healthcare organizations need secure, compliant, and always-on IT systems that enable care without interruption.
Strategic prevention. Multi-layered defense that protects users, data, and systems.
Patient Data Protection
Protecting Protected Health Information (PHI) is at the heart of modern healthcare compliance. We deploy multi-layered data protection, encryption, and access control systems that meet HIPAA and HITECH standards.
Risk Reduction Strategies
We evaluate the availability, functionality, and integrity of your existing cybersecurity program by conducting a vulnerability assessment. We work to minimize risks by reducing the attack surface and implementing 24/7 alerting to stay ahead of patterns and behaviors that may indicate a bad actor or threat is being attempted on your network, or from a malicious email.
Highly Available Infrastructure
We design and maintain secure, high performance IT environments that protect critical systems without compromising speed. From firewalls and segmentation to patching and access controls, we create a hardened infrastructure that keeps patient care systems operational and isolated from risk.
Zero Drift Compliance
Our zero drift compliance model ensures ongoing alignment with HIPAA, HITECH, and NIST 800-53 standards through continuous monitoring, policy documentation, and control verification.
Priority Email & Tech Support
Our U.S. based healthcare IT support team delivers priority level response for both cybersecurity and system performance issues.
Email Encryption / Security
Email is still the #1 attack vector. Explore solutions for SMARC, SPF, DKIM, encryption for outbound / inbound emails, spam filtering, and malware protection.
Antivirus & Endpoint Protection
EDR (Endpoint Detection & Response) tools to stop malware, ransomware, and zero-day attacks in real time.
Highly Available Infrastructure
Scalable, high availability IT infrastructure built for healthcare operations.
Zero Trust Architecture
Controls that deny any unknown devices from accessing company resources. Controls to enforce location based logins, cyber baselines on devices, and advanced logging.
Multifactor Authentication
Multifactor adds an additional layer of security to your accounts, helping to prevent phishing attempts or leaked passwords from leading to breaches.
Data Protection
Testing applications, shared data on your network, the way network devices transmit data, and their connections to third party applications.
Request an Advanced Security Assessment
Every control reinforces the next, building a cohesive security ecosystem that stops breaches cold.
Healthcare Cyber Compliancy
Federal Laws
HIPAA
United States Federal Law
HITECH
United States Federal Law
State Cybersecurity Regulations
NYCRR Section 405.46
New York State Department of Health
Frameworks
NIST 800-53
Information Security Standard
SOLOS: a program review conducted by our firm on your existing cybersecurity program. We can be leveraged as your vCISO to identify and fix gaps in your operations.
Legal
1+
Priority Email & Tech Support. Our U.S. based priority support team delivers direct access for immediate resolution of IT issues. No ticket queues.
- Cybersecurity,
- Compliance
Safeguarding Confidentiality, Compliance, and Client Confidence.
We deliver IT and cybersecurity solutions engineered for law firms and legal practices, designed to protect privileged data, support compliance with client and regulatory mandates, and keep your systems available around the clock.
Protect privilege. Safeguard confidentiality.
Client Data Protection
We deploy encryption, endpoint protection, and the ability to perform secure file transfer systems to ensure sensitive client communications, contracts, and discovery materials remain protected at every stage.
Risk Reduction Strategies
We evaluate the availability, functionality, and integrity of your existing cybersecurity program by conducting a vulnerability assessment. We work to minimize risks by reducing the attack surface and implementing 24/7 alerting to stay ahead of patterns and behaviors that may indicate a bad actor or threat is being attempted on your network, or from a malicious email.
Our approach focuses on data access, user behavior, and vendor integrations, helping your team maintain availability, integrity, and confidentiality at every level of operation.
Hardened Infrastructure
We design and maintain secure, high performance IT environments that protect critical systems without compromising speed. Your network, document systems, and remote connections are locked down and optimized for secure collaboration.
Zero Drift Compliance
Keeps your systems, policies, and vendors aligned with ABA guidelines, client data clauses, and evolving cybersecurity mandates. You stay audit ready and compliant by default.
Priority Email & Tech Support
Our U.S. based healthcare IT support team delivers priority level response for both cybersecurity and system performance issues. We have expertise with secure collaboration tools for hybrid and remote legal teams.
Email Encryption / Security
Email is still the #1 attack vector. Explore solutions for SMARC, SPF, DKIM, encryption for outbound / inbound emails, spam filtering, and malware protection.
Antivirus & Endpoint Protection
EDR (Endpoint Detection & Response) tools to stop malware, ransomware, and zero-day attacks in real time.
Highly Available Infrastructure
Scalable, high availability IT infrastructure built for healthcare operations.
Zero Trust Architecture
Controls that deny any unknown devices from accessing company resources. Controls to enforce location based logins, cyber baselines on devices, and advanced logging.
Multifactor Authentication
Multifactor adds an additional layer of security to your accounts, helping to prevent phishing attempts or leaked passwords from leading to breaches.
Data Protection
Testing applications, shared data on your network, the way network devices transmit data, and their connections to third party applications.
Request an Advanced Security Assessment
Every control reinforces the next, building a cohesive security ecosystem that stops breaches cold.
Legal Cyber Compliancy
Federal Laws
GDPR
General Data Protection Regulation
Frameworks
ABA cybersecurity guidelines
Information Security Standard
SOLOS: a program review conducted by our firm on your existing cybersecurity program. We can be leveraged as your vCISO to identify and fix gaps in your operations.