What is the New York Cybersecurity Regulation? What you need to do to comply

Officially called 23 NYCRR 500, this regulation requires financial services firms doing business in New York to have a full security risk assessment and plan.

Become An Insider

Sign up now and get FREE access to hundreds of Insider articles, guides, reviews, interviews, blogs, and other premium content. Learn more.

In March 2017, the New York State Department of Financial Services (DFS) implemented 23 NYCRR 500, generally referred to as the New York Cybersecurity Regulation. Its aim is to encourage financial services firms doing business in the state to minimize their security risks. Although many experts see the regulation as flawed, 23 NYCRR 500 is expected to set a precedent for cybersecurity laws and regulations in other states.

Given the importance of the financial services industry to New York’s economy, it’s easy to see why the DFS enacted the regulation. New York is home to many of the leading global and domestic financial institutions, which represents about 30 percent of the state’s gross domestic product (GDP). If that industry falters, New York takes a big hit in terms of revenue, jobs and reputation. The regulation enforces organizations to adhere to what the DFS considers a minimum standard set of security best practices.

Setting a cybersecurity regulation standard for the U.S.

Much like the European Union’s General Data Protection Regulation (GDPR), the New York Cybersecurity Regulation has far-ranging geographic reach.  “Because New York is such a big market, [23 NYCRR 500] will have a sweeping effect on companies within the United States headquartered outside of New York, as well as companies that are headquartered outside of the United States,” says Harley Geiger, director of public policy at Rapid7. “In this way, the regulation is similar to GDPR. A lot of U.S.-based companies, because they do business in Europe, are now finding themselves in the position where they have to comply with EU regulations.”

“Once DFS gets into the business of enforcing this law, I think you will see laws follow quickly in other states and other industries,” says Jami Vibbert, counsel with the eCommerce, Privacy, and Cybersecurity Group at law firm Venable LLC.

To continue reading this article register now

SUBSCRIBE! Get the best of CSO delivered to your email inbox.