What is 23 NYCRR 500?
The 23 NYCRR 500 guidelines have been developed to ensure the protection of customer information and information systems of regulated New York financial institutions. It is the first-in-the-nation regulation imposing comprehensive cybersecurity and reporting requirements on banks, insurance companies, and other financial institutions.
Effective Date: March 1, 2017
Enforcement Date: August 28, 2017
Does 23 NYCRR 500 apply to me?
23 NYCRR 500 applies to any organization or company that is regulated by the New York State Department of Financial Services unless one of the following applies:
- Fewer than 10 employees, including independent contractors located in New York or responsible for business of the firm
- Less than $5,000,000 gross annual revenue in each of the last three fiscal years
- Less than $10,000,000 in year-end total assets
*If your firm meets an exemption qualification you must file that exemption with the Superintendent of Financial Services by September 27, 2017
How Sera-Brynn can help?
Compliance with 23 NYCRR 500 will be a process that each financial institution in the New York area will have to take on. Our audit and advisory teams focus on providing you with a comprehensive roadmap on how to reach compliance with 23 NYCRR 500. Using a third-party auditor such as Sera-Brynn will help your company properly mitigate and manage risk.
What is our Process?
- Assessment: Sera-Brynn will assess what systems are in place and what policies are implemented in business processes.
- Technical Compliance and Documentation Development: First, Sera-Brynn will develop and conduct a tailored technical scan of your network. From this we will be able to develop a Cybersecurity Policy, Risk Assessment, and an Incident Response Plan customized for your company’s needs.
- Final Assessment and Validation: During the final phase of the process Sera-Brynn will deliver a comprehensive Plan of Action and Milestones (POAM), Compliance Status Summary and a Compliance Assessment Completion Certificate.
23 NYCRR Part 500 goes into effect. FAQs provided by the NY Department of Financial Services.
Covered Entities are required to be in compliance with requirements of 23 NYCRR Part 500 unless otherwise specified.
Covered Entities that have determined that they qualify for a limited exemption under 23 NYCRR 500.19(a)-(d) as of August 28, 2017 are required to file a Notice of Exemption on or prior to this date.
Covered Entities are required to submit the first certification under 23 NYCRR 500.17(b) on or prior to this date.
Covered Entities are required to be in compliance with the requirements of sections 500.04(b), 500.05, 500.09, 500.12 and 500.14(b) of 23 NYCRR Part 500.
Covered Entities are required to be in compliance with the requirements of sections 500.06, 500.08, 500.13, 500.14(a) and 500.15 of 23 NYCRR Part 500.
Covered Entities are required to be in compliance with the requirements of 23 NYCRR 500.11.