What is 23 NYCRR 500?

Also called “Part 500”, 23 NYCRR 500 stands for Title 23 of the New York Codes, Rules, and Regulation, Part 500. The purpose of this regulation is to protect consumer data by setting cyber security requirements for financials institutions who operate in the state of New York.

Who Must Follow Part 500?

This regulation applies to anyone licensed, registered, chartered, certified, permitted, or accredited to operate under banking law, insurance law, or financial services law, with the intention of protecting customer information, information systems, and other non-public information (including those held by these covered entities’ third party service providers) from cybersecurity risks or threats.

Vulnerability Scanning Meeting

Requirements of Part 500

  1. Develop and maintain a robust cybersecurity program.
  2. Implement a comprehensive cybersecurity policy.
  3. Designate a chief information security officer (CISO).
  4. Monitor and test the effectiveness of its cybersecurity program.
  5. Maintain an audit trail.
  6. Limit access to information systems that contain nonpublic information.
  7. Institute procedures to assess and test the security of externally developed applications.
  8. Use periodic risk assessments to design and enhance cybersecurity programs.
  9. Use qualified personnel to manage cybersecurity risks and oversee cybersecurity functions.
  10. Implement policies and procedures to ensure the security of information held by third-party service providers: 
  11. Monitor the activity of authorized users, detect unauthorized access, and offer regular cybersecurity awareness training to employees.
  12. Develop plans to respond to and recover from cybersecurity incidents.
Security Operations Center Meeting

Get Started With 23 NYCRR 500

The first step to becoming compliant is to assign a CISO and put together a compliance team. 

From there you’ll want to conduct a risk assessment, implement controls, and submit your first certification of compliance to the NYDFS. 

If you have questions regarding compliance for this regulation or any others, the professionals at Red Lion are always here to help. Just contact us below and we’d be glad to lend a helping hand.

Let Red Lion Assist in your Part 500 Compliance

Do you still have questions regarding 23 NYCRR 500? Our compliance professionals can help your organization become compliant, regardless of complexity.

Contact Us Today

Other Regulations & Services That You May Be Interested In:


Payment Card Industry Data Security Standard


The Sarbanes-Oxley Act
Translate »