How to Approach the Demanding 23 NYCRR 500 Regulation

In March 2017, the New York State Department of Financial Services (NYDFS) issued a new regulation, the much discussed 23 NYCRR part 500. Considered to be one of the harshest cybersecurity regulations ever to impact companies, it consists of a new set of standards and requirements for banks, insurance companies, and other financial services organizations. It means that all businesses licensed by the New York DFS and “operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law” (with the exemption of small organizations) must comply with the new law. This includes companies such as state-chartered banks, licensed lenders, private bankers, service contract providers, trust and mortgage companies, but also foreign financial institutions and insurance companies conducting business in New York.

NY Governor Andrew Cuomo explained that “New York is the financial capital of the world, and it is critical that we do everything in our power to protect consumers and our financial system from the ever increasing threat of cyber-attacks. These strong, first-in-the-nation protections will help ensure this industry has the necessary safeguards in place in order to protect themselves and the New Yorkers they serve from the serious economic harm caused by these devastating cybercrimes.”

The new regulation is the latest addition to a comprehensive approach following a series of high-profile data breaches that resulted in losses of hundreds of millions of dollars for individuals as well as US companies as shown below:

Date Victim Breach Fallout
November 2013 Target Corp. 41 million Target customers’ payment card accounts were breached by criminals using the credentials of 61 million Target customers that were stolen from a third-party vendor ·    $18.5 million settlement in 47 states in 2017

·      $10 million class-action lawsuit settlement in 2015

·     Payments of up to $10,000 per customer who suffered proven losses from the data breach

April – September 2014 Home Depot Inc.


Data breach affected more than 50 million cardholders that used the Company’s self-checkout terminals in its US and Canadian stores that were compromised by custom-built malware that accessed payment card information ·    $27 million settlement with banks in 2017

·    $15.3 million in legal fees and $710,000 in expenses to the banks’ attorneys

·    $19.5 million to customers harmed by the hack

·    $14.5 million settlement with MasterCard and Visa

2015 Anthem Inc., the largest US health insurance company The personal information of 79 million individuals was compromised by attackers who gained unauthorized access to Anthem’s IT system ·    A settlement of $115 million for more than 100 lawsuits was agreed upon in 2017
May – July 2017 Equifax, one of the three largest credit reporting agencies in the US 143 million US consumers were compromised by criminals exploited a US website application vulnerability to gain access to files ·    Inquiries from the Consumer Financial Protection Bureau, the Federal Trade Commission, the House Financial Services Committee, the Senate Finance Committee, New York’s Attorney General

·    The CEO, CIO and CISO of Equifax were forced to resign

·   Lawsuits, including from the State of Massachusetts

·    New York Department of Financial Services (DFS) issued a new regulation that Equifax and other credit reporting agencies must register with the NYDFS, and must comply with the NYCRR 500

August 2017 Sonic Drive-In, a US fast-food chain with 3,600 locations Malware attack at some of its drive-in outlets resulted in millions of stolen credit card credentials ·    Sonic’s shares fell 24.4 % in the two months after the breach

·    Sonic will offer affected customers free identity theft protection

The 23 NYCRR part 500 contains regulatory minimum standards to prevent and avoid data breaches. Since the end of August 2017, organizations must have a compliance program and effective policies in place, including having their own Chief Information Security Officer (CISO). These obligations are already in place, although the first reports are only due in February 2018. Let’s have a closer look at the new regulation’s main provisions and how Cymulate can assist.

Section 500.02 – Cybersecurity Program
Each Covered Entity (defined as “any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law”) must develop and maintain a cybersecurity program. This program must be designed to protect the confidentiality, integrity and availability of the Covered Entity’s information systems, and must be based on the Covered Entity’s Risk Assessment. Last but not least, all documentation and information relevant to the program must be made available to the Superintendent of Financial Services upon request. By making the Cymulate solution part of the cybersecurity program, the Covered Entity can perform on-demand cyberattack simulations on a regular basis. The immediate results are provided in a comprehensive report and present a full picture of the Covered Entity’s security posture.

Section 500.03 – Cybersecurity Policy
Each Covered Entity will implement and maintain a written cybersecurity policy (or policies) that must be approved by the senior management or the Board of Directors of the Covered Entity. This cybersecurity policy must be based on the Risk Assessment and has to contain the policies and procedures for protecting the Covered Entity’s Information Systems as well as the information stored on them. The cybersecurity policy shall be based on the Covered Entity’s Risk Assessment and will address various areas where Cymulate can assist, such as:

  • Using the Cymulate platform to test systems and network security;
  • Running scheduled Cymulate simulations as part of systems and network monitoring;
  • Letting the Cymulate platform validate the security posture for risk assessment;
  • Leveraging Cymulate’s test reports for formulating and fine-tuning incident response;
  • Running various Cymulate modules (such as Cymulate’s Web Application Firewall Assessment) to assist with systems and application development and quality assurance.

Section 500.04 Chief Information Security Officer (CISO)
Each Covered Entity must appoint a Chief Information Security Office (CISO) to oversee and implement the Covered Entity’s cybersecurity program. Since the CISO is also responsible for enforcing the covered Entity’s cybersecurity policy, the Cymulate platform is a powerful tool for the CISO to have.

Section 500.05 Penetration Testing and Vulnerability Assessments.
The cybersecurity program for each Covered Entity shall include monitoring and testing, developed in accordance with the Covered Entity’s Risk Assessment, designed to assess the effectiveness of the Covered Entity’s cybersecurity program. The monitoring and testing shall include continuous monitoring or periodic Penetration Testing and vulnerability assessments. Since Cymulate provides an on-demand attack simulation platform, it is designed to perform not only regular penetration tests but also vulnerability assessments. By performing attack simulations, Cymulate identifies the vulnerability of the organization’s security framework to all kinds of multi-vector cyberattacks. More specifically, the Cymulate platform “impersonates” hackers, cybercriminals and rogue countries to simulate all kinds of cyberattacks. This allows the organization and its CISO to test if the Covered Entity’s cybersecurity can withstand Advanced Persistent Threats (APT), classic malware such as worms and Trojans, popular attack vectors including phishing, spyware and ransomware, as well as the latest multi-vector attacks.

Needless to say, also the 23 NYCRR part 500 has a reporting obligation regarding data breaches and incidents. Section 500.17 clearly states that Covered Entities must start notify the NYDFS no later than 72 hours after identifying an act or attempt, successful or unsuccessful, which was made to gain unauthorized access to, disrupt or misuse an Information System or the information stored on it.

In conclusion, Cymulate’s plug & play assessment platform can help Covered Entities and their CISOs to comply with the provisions of NYCRR by periodically testing how vulnerable their systems and data are to cyberattacks. Once installed, it performs offensive and defensive actions to expose critical vulnerabilities. More specifically, the platform simulates multi-vector cyberattacks from an attacker’s perspective. This enables the Covered Entity and its CISO to test the organization’s cybersecurity, conduct risk assessments, and formulate incident responses.

To find out if your organization would be able to withstand a cyberattack, sign up for our FREE assessment without any obligation. See for yourself how Cymulate’s automated platform will simulate continuous attacks on different vectors to locate vulnerabilities which allows you to mitigate issues so keep you NYCRR 500 compliant.

Test the effectiveness of your security controls against possible cyber threats with a 14-day trial of Cymulate’s platform.

Start a Free Trial

Don’t speculate, Cymulate