What is 23 NYCRR 500?
The 23 NYCRR 500 guidelines have been developed to ensure the protection of customer information and information systems of regulated New York financial institutions.
Effective Date: March 1, 2017
Enforcement Date: August 28, 2017
Does 23 NYCRR 500 apply to me?
23 NYCRR 500 applies to any organization or company that is regulated by the New York State Department of Financial Services unless one of the following applies:
- Fewer than 10 employees, including independent contractors located in New York or responsible for business of the firm
- Less than $5,000,000 gross annual revenue in each of the last three fiscal years
- Less than $10,000,000 in year-end total assets
*If your firm meets an exemption qualification you must file that exemption with the Superintendent of Financial Services by September 27, 2017
How Sera-Brynn can help?
Compliance with 23 NYCRR 500 will be a process that each financial institution in the New York area will have to take on. Our audit and advisory teams focus on providing you with a comprehensive roadmap on how to reach compliance with 23 NYCRR 500. Using a third-party auditor such as Sera-Brynn will help your company properly mitigate and manage risk.
What is our Process?
- Assessment: During this phase Sera-Brynn will assess what systems are in place and what policies are implemented in business processes.
- Technical Compliance and Documentation Development: During this phase Sera-Brynn will firstly develop and conduct a tailored technical scan of your network. From this we will be able to develop a Cybersecurity Policy, Risk Assessment, and an Incident Response Plan customized for your company’s needs.
- Final Assessment and Validation: During the final phase of the process Sera-Brynn will deliver a comprehensive Plan of Action and Milestones (POAM), Compliance Status Summary and a Compliance Assessment Completion Certificate.
Other Relevant Deadlines:
March 1, 2018– CISO assigned, Pen Testing completed, Risk Assessment completed, Multi-Factor Authentication, Cybersecurity Awareness Training
September 3, 2018 – Audit system implemented, Application Security implemented, Data Retention Policy, User Monitoring System, Encryption of non-public information
March 1, 2019 – Third party security/vendor management policy implemented