The clock is ticking!

23 NYCRR 500

On March 1, 2017 the NY Department of Financial Services adopted the strictest cybersecurity regulations in the United States. If you’re licensed by NYDFS, there are things you need to do… soon!

What is it?
Am I exempt?
What do I need to do?

Current Deadlines

Phase 1: Aug 27, 2017

Exemption Filing: Oct 30, 2017

Annual Certification: Feb 15, 2018


With introduction of 23 NYCRR 500, the New York State Department of Financial Services (‘DFS’) has formalized the most stringent requirements for cybersecurity in the United States – the first state in the country to do so. 23 NYCRR 500 is designed to promote the protection of customer information as well as the information technology systems of companies from cyber-attacks (download the full regulation here).

Companies subject to this new regulation (‘covered entities’) include non-governmental corporations, agencies, or partnerships that operate under a license, registration, charter, certificate, or similar authorization under New York Banking Law, Insurance Law, or Financial Services Law.

The essence of the regulation is this: each covered entity must assess its specific risk and address those risks through a comprehensive cybersecurity program to ensure the safety and soundness of the institution and protect its customers.

Most of the requirements of 23 NYCRR 500 are already considered “best practices” in cybersecurity. However, many companies in the industry have failed to implement those standards. As the deadlines approach and pass, this failure will result in fines and increased cybersecurity risk.

I know that seems like a lot to do – and it really is – but there’s some good news. The DFS built in some provisions to make compliance with 23 NYCRR 500 easier to manage:

  1. Companies that meet just ONE of several criteria are eligible for a “Limited Exemption” that significantly decreases the number of requirements of the law your organization has to me.
  2. DFS has instituted “grace periods”, that provide businesses with an opportunity to meet their obligations over a 2 year period. The deadlines associated with the phases outlined above are:

Phase 1 – August 27, 2017
Phase 2 – March 1, 2018
Phase 3 – September 3, 2018
Phase 4 – March 1, 2019

To learn the requirements that need to be completed on these dates, click here.


The short answer is NO. But… and it is a big BUT, if you meet certain criteria, there’s a very good chance you are eligible to meet far fewer of the requirements in the full regulation.

At a minimum, everyone has new paperwork to file annually that shows you qualify for some form of exemption. You will also have to annually certify that you’ve done what 23 NYCRR 500 requires for your company based upon its exemption status.

CAUTION: We’ve spoken with many companies that claim they are fully exempt from the regulation because they don’t understand it is a “Limited Exemption”. The worst thing you can assume is that you don’t need to do anything at all!

If you meet ANY of the following criteria, you qualify for a Limited Exemption:

  1. Fewer than 10 employees, including any independent contractors of the entity or its affiliates located in New York or responsible for business of the entity
  2. Less than $5 million in gross annual revenue in each of the last three fiscal years from New York business operations of the entity and is affiliates
  3. Less than $10 million in year-end total assets, including assets of the affiliates, calculated in accordance with generally accepted accounting principles

If you haven’t done so already, download the full regulation and our “at-a-glance” overview – then click here to learn more about the specific requirements your company has to meet.

Exemptions must be filed by September 27, 2017.  You can file for your exemption by using the form on page 14 of the regulation or by filing online.


First – the program has a number of grace periods that buy you time to meet your obligations under the law. So, DON’T PANIC. However, those grace periods don’t mean that you can procrastinate. They’re long enough to make sure you can develop an action plan, review and select the appropriate resources, and complete the requirements before each deadline.

Please review the deadlines and requirements below, then (if you haven’t already) download the full regulation to get a better understanding of the specifics of each compliance requirement.

If you have any questions, please contact us to schedule time with one of our security experts.

There are two important dates to remember beyond the deadlines below:

September 27, 2017 – this is the deadline to file for an exemption, if you haven’t done so already.
February 15 – starting in 2018, your company and executive team has to certify compliance with all the requirements of the law with deadlines prior to that date. This is an annual requirement.

Based upon what you learned about exemption criteria, here’s what you need to do and when:

Phase 1: August 28, 2017

500.2 – Cybersecurity Program
500.3 – Cybersecurity Policy
500.7 – Access Privileges
500.17 – Notification to Superintendent

Click here to learn more about our Limited Exemption Phase 1 service!

500.2 – Cybersecurity Program
500.3 – Cybersecurity Policy
500.7 – Access Privileges
500.17 – Notification to Superintendent
500.4 – Chief Information Security Officer
500.10 – Cybersecurity Personnel & Intelligence
500.16 – Incident Response Plan

Click here to learn more about our Full Regulation Phase 1 service!

Phase 2: March 1, 2018

500.9 – Risk Assessment

500.9 – Risk Assessment*
500.4(b) – Annual cybersecurity Program Report
500.5 – Penetration Testing & Vulnerability Assessments
500.12 – Multi-Factor Authentication
500.14(b) – Regular Cybersecurity Awareness training

Phase 3: September 3, 2018

500.13 – Limitations on Data Retention*

500.13 – Limitations on Data Retention
500.6 – Audit Trail
500.8 – Application Security
500.14(a) – Implement user activity monitoring controls
500.15 – Encryption of Nonpublic Information

Phase 4: March 1, 2019

500.11 – Third Party Service Provider Security Policy

500.11 – Third Party Service Provider Security Policy


How can we help you achieve compliance? Calling upon decades of experience in cybersecurity and IT, our comprehensive solutions address every requirement of the NY Cybersecurity regulation.


Our library of over 300 policies and procedures is built using the NIST Cybersecurity Framework and COBIT5 implementation standards. These policies and procedures are customized using a built-in program plan to provide a complete cybersecurity program – delivered our own strake/IR platform to make them actionable, trackable, and auditable. Our policy and procedure libraries fulfill requirements included in the following sections of 23 NYCRR 500:

PHASE 1: 500.2, 500.3, 500.7, 500.16, 500.17
PHASE 2: 500.4(b)
PHASE 3: 500.8, 500.13, 500.14(a)
PHASE 4: 500.11


Our professional services team addresses Assessments (Risk + Vulnerability) and Penetration Testing, Engineering Design and Implementation, Outsourced Personnel (CISO + cybersecurity staff), in addition to Team Training, Education, and Recruitment. We’ll identify your existing risks and security gaps, then provide a comprehensive plan for securing your organization.  Our service and staffing solutions fulfill requirements included in the following sections of 23 NYCRR 500:

PHASE 1: 500.4, 500.10
PHASE 2: 500.4(b), 500.5, 500.9, 500.14(b)
PHASE 3: 500.8
PHASE 4: n/a


Our team has fully vetted the technologies and managed services necessary to secure your systems and information. We offer best-in-breed authentication, encryption, detection, and monitoring products provided as in-house implementations or managed service.  Our technology solutions fulfill requirements included in the following sections of 23 NYCRR 500:

PHASE 1: 500.4, 500.10
PHASE 2: 500.4(b), 500.12, 500.14(b)
PHASE 3: 500.13, 500.14(a), 500.15
PHASE 4: n/a


Every element of the regulation is accompanied by one of more than 20 one-hour workshops to educate your team and guide them through every step of the compliance process. Workshops are either web-based or on premise.

Compliance, Response, and Mitigation

Get the whole 9yahds