What is NYSDFS 23 CRR 500?

New York State Department of Financial Services created the 23 NYCRR Part 500 a cybersecurity regulation on March 1st, 2017. This regulation applies to organizations and agencies in the financial service industry. Entities such as Mortgage banks, Insurance firms, and Private lenders are required to comply.


What cyber components are being looked at during an audit?

A strong cybersecurity stance allows you or your IT department to submit and monitor necessary logs, and easily identify risk-based policies that limit access to nonpublic information. 

Failure to comply with 23 CRR 500 can result in massive financial penalties for your organization. Failure to comply with FFIEC guidelines can result in penalties totaling $ 2 million. In 2018, NYSDFS issued a $1.8 million dollar fine to a New York State insurance company that failed to implement multi-factor authentication, an explicit control required by NYSDFS CRR 500.12(b).

In addition, under 23 NYCRR 500.17(a)(2), Cybersecurity Events must be reported to the Department if they “have a reasonable likelihood of materially harming any material part of the normal operation(s) of the Covered Entity.” 

NYSDFS Proposed Amendments

On July 29th, 2022 NYSDFS announced new changes to multiple sections of the current cybersecurity regulations. The changes proposed introduced new requirements for  “CLASS A” companies, those earning over $1 billion in gross annual revenues over the last three years and over 2,000 employees. The requirements for CLASS A companies have more components for regulation, such as a weekly vulnerability assessment and EDR requirements.

Below, we will review a few of the proposed changes and what that means for your business.

500.4 CISO Increased Authority & Enhanced Cybersecurity Knowledge Requirement by Senior Board

A new component of the amendments increases the roles and authority of the Chief Information Security Officer (CISO) to ensure cyber risks are properly managed and in a timely manner.

According to section 500.4 amendments, “The CISO must have adequate independence and authority to ensure cybersecurity risks are appropriately managed”. Additionally, the CISO will include in their annual written report plans for remediating identified weaknesses, and report to the senior management or board on the entity’s risk assessment, and major cyber events. 

Additionally, 500.4 amendments require the board (or committee of the board) to have sufficient expertise and knowledge, or someone to advise on the effective oversight of cyber risk, along with a subcommittee assigned responsibility for cybersecurity. 

What do these changes mean for my cyber program?

  • Your Senior board must be advised by a cybersecurity expert (MSSP) or employ in-house talent, and form a subcommittee responsible for overseeing cybersecurity. 
  • Your CISO (or third-party MSSP, MSP, or vCISO) has the authority and independence to remediate cyber risks. 
  • Your CISO (or third-party equivalent) has new reporting requirements to be submitted in their annual report.  

500.5 Continuous Monitoring: Weekly Requirements and Documentation

To further increase continuous monitoring requirements, a pen test must be performed by a qualified independent party. Those considered a “CLASS A” company (over 2,000 employees) will conduct systematic scans at least weekly. Gaps found during testing will be documented and reported to senior management. 

What is not considered continuous monitoring?

  1. Manual Reviews of logs and configuration files
  2. Periodic review of firewall changes or logins
  3. Not enabling or configuring alerting for IPS or IDS (Intrusion Prevention Services)
What do these changes mean for my cyber program?
  • Penetration Test is to be completed annually by a qualified, independent party (NOT YOUR MSSP OR MSP)
  • Bi-annual and regular vulnerability assessments are required.
  • CLASS A companies will conduct scans or reviews on a weekly basis. 

500.12: The Important of Multifactor Authentication

The new amendments expand on the importance of multifactor authentication, the CISO must now approve in writing the compensating controls that achieve reasonably equivalent security when MFA is not enforced on a privileged account. The new amendments also require MFA specifically for remote access to the network and third-party applications that contain non-public information. 

Secure End Solution has constantly enforced and highlighted the importance for our clients to implement Single Sign On (SSO) for third-party enterprise applications and enforce MFA across all accounts. The proposed amendments for this section, in our opinion, is the single most significant change. 

What do these changes mean for my cyber program?

  •  Third-party applications containing NPI, such as Office365, Dropbox, Salesforce, etc. must utilize MFA. 
  • Remote access into the network (VPN), or logging into the above from a remote location must utilize MFA.

500.14 Spam Filtering, Required cyber-training, and endpoint detection response

The new amendments require CLASS A companies to adopt a SIEM, or centralized logging and security event alerting solution. Otherwise, all companies must implement an email spam filtering solution and provide yearly training for all employees. 

What do these changes mean for my cyber program?

  • Spam filtering is required
  • Annual phishing training, cybersecurity simulations, or exercises are required for all employees
  • CLASS A companies require EDR (endpoint detection and response) 
  • CLASS A companies require a centralized logging and security event alerting solution

Not so sure your cyber program is audit Ready?

We can increase your cybersecurity stance before an audit. Schedule a free consultation with our cyber team today.