Citation[]
New York Department of Financial Services, Cybersecurity Requirements for Financial Services Companies, 23 NYCRR 500 (Mar. 1, 2017) (full-text).
Overview[]
This regulation requires banks, insurance companies, and other financial services institutions regulated by the New York Department of Financial Services to establish and maintain a cybersecurity program designed to protect consumers and ensure the safety and soundness of New York State's financial services industry.
It requires regulated financial institutions to establish a cybersecurity program; adopt a written cybersecurity policy; designate a Chief Information Security Officer responsible for implementing, overseeing and enforcing its new program and policy; and have policies and procedures designed to ensure the security of information systems and nonpublic information accessible to, or held by, third-parties, along with a variety of other requirements to protect the confidentiality, integrity and availability of information systems.