A new cybersecurity regulatory regime will go into effect this year in New York – the world’s financial capital and home to many banking, insurance and financial services organizations. The proposed cybersecurity regulation, known as 23 NYCRR 500, has grabbed the attention of impacted companies doing business in New York, and others who might be anticipating cybersecurity requirements in their jurisdictions and industries.

New York Governor Andrew Cuomo announced the new "first-in-the-nation" cybersecurity regulation in September 2016, saying it is necessary to "guarantee the financial services industry upholds its obligation to protect consumers and ensure that its systems are sufficiently constructed to prevent cyber-attacks to the fullest extent possible." The proposed regulation is currently being reviewed by the DFS to take into account comments by the banking industry.

You may be wondering what the regulation says and how to comply. We put together this brief FAQ to help you understand whether and how this regulation affects your organization, what the regulation covers from a security standpoint, and what protections you should consider to meet compliance requirements. Although this doesn’t constitute legal advice, we hope this FAQ helps you begin the process of planning your next steps for compliance.

What is 23 NYCRR 500?

The new cybersecurity regulation proposed by the New York State Department of Financial Services (DFS) is officially known as Part 500 of Title 23 of the Official Compilation of Codes, Rules and Regulations of the State of New York, or 23 NYCRR 500 for short.

Who is covered?

The DFS is the regulatory body that oversees financial services companies licensed by or operating in New York State. Organizations covered by the new cybersecurity regulation include banks and trust companies, insurance companies, mortgage lenders, investment companies, brokers and other financial services providers. There are some exemptions for some smaller organizations.

When does it go into effect?

Once it is final, the regulation is scheduled to go into effect on March 1, 2017. As originally proposed, there is a 180-day grace period for companies to comply. A further requirement to provide a Certification of Compliance to the DFS commence will commence in January 2018.

What does the regulation require?

The proposed regulation includes a comprehensive list of requirements for protecting information systems from cybersecurity threats and unauthorized access of “non-public information.” Below is a partial list of some of the main requirements.

Covered entities must:

  • Implement a cybersecurity program with written policies and an audit trail
  • Employ a Chief Information Security Officer (CISO) and dedicated cybersecurity personnel
  • Identify cyber risks and conduct penetration testing at least annually and vulnerability assessment at least quarterly
  • Secure applications by ensuring the use of secure development practices for in-house developed applications, and implement procedures for assessing and testing the security of all externally developed applications
  • Assess risk to non-public information and information systems accessible or held by third parties, and conduct third-party security assessments at least annually
  • Provide and require all personnel attend regular cybersecurity awareness training
  • Implement controls, including encryption, to protect non-public data in transit and at rest
  • Establish an incident response plan, including notification of regulatory agencies

How might you meet compliance?

Strategic organizations understand that they cannot treat compliance as an end in itself, but as the outcome of an ongoing process. The Veracode Application Security Platform provides a variety of methods to assess application security, compliance and development team reporting, and secure development training. Veracode helps deliver continuous compliance by:

  • Providing application security testing that integrates into your software development lifecycle
  • Conducting regular discovery scans of the web applications in your domain, including temporary marketing sites, international domains and sites obtained via M&A
  • Continuously monitoring your production web applications for vulnerabilities
  • Providing virtual patching for your web application firewalls based on the security intelligence from your application assessments

Below are some possible security solutions you should consider when assessing your risk and compliance requirements.

  • Veracode's Application Security Platform can provide a secure audit trail of your compliance processes, including critical information such as application security scores; listings of all discovered flaws; and flaw status information (new, open, fixed, or re-opened). Summary data is also included for third-party assessments, including scores and top risk categories
  • Veracode Static Analysis can ensure that your applications are not vulnerable to attack through exploits such as SQL injection and Cross-Site Scripting, preventing potential data loss, brand damage, and ransomware infections
  • Veracode Static Analysis can help meet the requirement to protect non-public information by assessing your applications’ cryptographic code for known vulnerabilities and ensuring encryption is implemented correctly
  • Veracode Vendor Application Security Testing provides security testing of outsourced and vendor code without compromising vendor intellectual property
  • Veracode Manual Penetration Testing complements Veracode's automated scanning technologies with best-in-class penetration testing services

You should check with your compliance and legal departments for complete information on how you may be required to comply.

View our new guide for continued learning: Navigating the New York Department of Financial Services' Cybersecurity Regulations

About John Zorabedian

John Zorabedian is a blogger and copywriter at Veracode. He has a background in marketing and journalism, writing about IT security, technology, business, politics and culture. He lives and works in the Boston area.

Comments (0)

Please Post Your Comments & Reviews

Your email address will not be published. Required fields are marked *

Love to learn about Application Security?

Get all the latest news, tips and articles delivered right to your inbox.




contact menu