23 NYCRR Part 500

We provide analysis and thoughts on the New York State Department of Financial Services 23 NYCRR Part 500. Cyber security controls are required for covered entities. We provide in-depth discussion on how to interpret and apply various sections. You’ll find articles on how to report and what it means to be exempt.

Pop Quiz: When is Pen Testing a Compliance Requirement?

We live in a world where organizations are required to pen test their IT systems and networks. Sometimes. Do you know when penetration testing is required? Or when it’s industry standard? Or when it’s just a good idea? Penetration testing, sometimes called ethical hacking, simulates real-world ways hackers can compromise network and IT assets. The… Read more »

GLBA is About to Get a Cybersecurity Upgrade

If you aren’t a regular reader of the Federal Register, you may have missed a proposed upgrade for safeguarding customer information. Background When the Gramm Leach Bliley Act, fondly known as GLBA, was enacted in 1999 we were worried about Y2K, a gallon of gas cost $1.22, and SpongeBob SquarePants had just premiered on Nickelodeon…. Read more »

New York State Department of Financial Services – Cybersecurity Requirements for Financial Services Companies

Banks, insurance companies, and other financial services institutions with home states or branches in New York have less than a month left to create compliant cybersecurity programs. August 28, 2017 is the deadline for this first-in-the-nation requirement. Sera-Brynn’s New York Cybersecurity Assessment (based on 23 NYCRR Part 500) includes: Developing a compliant Cybersecurity Program and… Read more »

New York Rule 500 dictates NY financial institutions must certify cybersecurity programs by February 15, 2018

New York State is the first in the U.S. to impose a comprehensive cybersecurity regulation on financial institutions, and the regulation, “Cybersecurity Requirements for Financial Services Companies,” (also known as NY Rule 500 or 23 NYCRR Part 500) has a key deadline on the horizon. February 15, 2018 is the date by which the entities… Read more »

New York State Cyber Regulation Require New Safeguards in 2017

As of March 1 2017, companies subject to regulation under the Banking Law, Insurance Law, or Financial Services Law in New York State are required to protect their networks and customer data with strong new safeguards under 23 NYCRR 500, Cybersecurity Requirements for Financial Services Companies. The new requirements will feel familiar to companies doing… Read more »