Solution Brief

Proofpoint and New York State Department of Financial Services Cybersecurity Regulation 23 NYCRR 500

To address the importance of security in financial services companies and the ever-increasing threats they face, the New York State Department of Financial Services (DFS) issued Regulation 23 NYCRR 500 (or Reg 500) in March 2017. This includes a comprehensive set of cybersecurity regulations that applies to any institution regulated by the New York State DFS.

If this applies to your organization, you must meet all the regulation requirements. They were designed to ensure that you improve your cybersecurity posture and increase the data protection and privacy for your customers. In all, its 21 provisions give you guidelines and standards on how you must develop a thorough cybersecurity program and a process to comply and disclose incidents.

According to Reg 23 NYCRR 500, your comprehensive cybersecurity program must include:

  • One or more written security policies
  • A risk assessment
  • Implementation of security and archiving applications
  • Security awareness training
  • Encryption
  • Multi-factor authentication
  • Testing and auditing
  • Certification
  • Filing of incident reports
  • And more

As of March 2019, all the regulation’s requirements are in effect. And regardless of your compliance efforts, there will always be differences in interpretation from auditors or internal compliance groups regarding the ongoing strength and operationalization of NYDFS CRR 500.

Download the solution brief to learn more.