How to achieve NYDFS Cybersecurity Regulation (23 NYCRR 500) compliance

There is still time to comply with NYDFS Cybersecurity Regulation (23 NYCRR 500) if your organization has not done so. March 1, 2019 marks the end of the two-year transitional period for the Regulation.

Final requirements

Compliance with all sections of 500.11 (Third Party Service Provider Security Policy) is required by the final deadline.

Requirements remaining after the previous two transitional periods are under sections:

  • 500.02 Cybersecurity Program
  • 500.03 Cybersecurity Policy
  • 500.04b Reporting of the Chief Information Security Officer
  • 500.07 Access Privileges
  • 500.10 Cybersecurity Personnel and Intelligence
  • 500.11 Third Party Service Provider Security Policy
  • 500.16 Incident Response Plan
  • 500.17 Notices to Superintendent
  • 500.18 Confidentiality

Dates under New York’s Cybersecurity Regulation (23 NYCRR Part 500)

  • March 1, 2017 – 23 NYCRR Part 500 becomes effective.
  • August 28, 2017 – 180 day transitional period ends. Covered Entities are required to be in compliance with requirements of 23 NYCRR Part 500 unless otherwise specified.
  • September 27, 2017 – Initial 30 day period for filing Notices of Exemption under 23 NYCRR 500.19(e) ends. Covered Entities that have determined that they qualify for a limited exemption under 23 NYCRR 500.19(a)-(d) as of August 28, 2017 are required to file a Notice of Exemption on or prior to this date.
  • February 15, 2018 – Covered Entities are required to submit the first certification under 23 NYCRR 500.17(b) on or prior to this date.
  • March 1, 2018 – One year transitional period ends. Covered Entities are required to be in compliance with the requirements of sections 500.04(b), 500.05, 500.09, 500.12 and 500.14(b) of 23 NYCRR Part 500.
  • September 4, 2018 – Eighteen month transitional period ends. Covered Entities are required to be in compliance with the requirements of sections 500.06, 500.08, 500.13, 500.14(a) and 500.15 of 23 NYCRR Part 500.
  • March 1, 2019 – Two year transitional period ends. Covered Entities are required to be in compliance with the requirements of 23 NYCRR 500.11.

The above dates are part of the Regulation’s two year compliance schedule.

It’s not too late to begin your compliance journey

The NYDFS doesn’t provide much information on exactly how organizations should comply with the legislation. Fortunately, most of its requirements align with the best practices described in ISO 27001, so organizations can use the Standard as a basis for their NYDFS Cybersecurity Requirements compliance project.

IT Governance is the one-stop shop for your ISO 27001 needs. We offer books, toolkits, training courses, staff awareness solutions, and consultancy services.

If you haven’t yet conducted a risk assessment in line with the Cybersecurity Requirements, you might be interested in vsRisk™. You will need to perform a risk assessment to meet many of the NYDFS’ requirements, and Vigilant Software’s tool helps simplify the process. It provides a simple and fast way to identify relevant threats, and delivers repeatable, consistent assessments year after year.

vsRisk’s integrated risk, vulnerability, and threat database eliminate the need to compile a list of potential risks, and the built-in controls help you comply with multiple frameworks.

Deck your office with cybersecurity

Take advantage of our special holiday offer. Spend over $500 and receive $50 off, $1,000 and get $100 off, $2,000 and get $200 off, or $5,000 and get $500 off your total purchase.

Offer applies automatically at checkout. Hurry, promo ends January 31, 2019

Shop now >>

Leave a Reply