Schedule a demo
See how you can maintain an inventory of NYCRR-regulated data and provide regulators proof of 24/7 data monitoring, fulfillment of right-to-be-forgotten requests at endpoints, and policy enforcement.
Provide evidence to auditors of steps taken to secure the confidentiality of customer information collected and protect it against threats and unauthorized access.
23 NYCRR 500 is a regulation in the state of New York that establishes cybersecurity requirements for financial services companies regulated by the New York State Department of Financial Services (NYDFS). It is intended to protect consumers and ensure the integrity and confidentiality of sensitive financial information. The goal of 23 NYCRR 500 is to ensure that financial services companies in New York have strong cybersecurity programs in place to protect against cyber threats and to maintain the integrity and confidentiality of sensitive financial information.
23 NYCRR 500 is a regulation in the state of New York that applies to financial services companies regulated by the New York State Department of Financial Services (NYDFS). This includes a wide range of businesses, including:
The regulation requires these companies to implement robust cybersecurity programs to protect against cyber threats and to maintain the integrity and confidentiality of sensitive financial information.
23 NYCRR 500 requires companies to implement robust cybersecurity programs to protect against cyber threats and to maintain the integrity and confidentiality of sensitive financial information. The regulation covers a wide range of data types, including both personal and financial information. Examples of data types that may be covered by 23 NYCRR 500 include:
Â
The specific data types that are covered by the regulation may vary depending on the specific business activities of the financial services company. The regulation requires these companies to implement controls to protect against unauthorized access to or tampering with nonpublic information, which may include any data that is not publicly available or that is subject to confidentiality agreements or other legal protections.
To comply with 23 NYCRR 500, financial services companies are required to:
If a financial services company fails to comply with the requirements of 23 NYCRR 500, it may be subject to enforcement action by the NYDFS.
The NYDFS has the authority to investigate alleged violations of the regulation and to take appropriate enforcement action, which may include the imposition of fines, the issuance of cease and desist orders, or the revocation or suspension of licenses. The NYDFS may also refer cases to other law enforcement agencies for further investigation and prosecution.
The specific penalties that may be imposed for non-compliance with 23 NYCRR 500 will depend on the nature and severity of the violation, as well as the company’s history of compliance with the regulation. The NYDFS has the authority to impose fines of up to $5,000 for each day that a violation continues, and may also seek additional remedies, such as the reimbursement of damages or the restoration of lost data.
Financial services companies that fail to comply with 23 NYCRR 500 may also face reputational damage, as well as legal and financial liability for any harm caused by a cyber attack or data breach. It is important for these companies to take the necessary steps to comply with the regulation in order to protect against cyber threats and to maintain the integrity and confidentiality of sensitive financial information.
See how you can maintain an inventory of NYCRR-regulated data and provide regulators proof of 24/7 data monitoring, fulfillment of right-to-be-forgotten requests at endpoints, and policy enforcement.
Upload a file to experience Qostodian’s turbocharged scanning engine.
Experience the data security platform that scans data elements and cross-references user behavior to help you nail compliance and identify sensitive data risk.
Qohash’s Qostodian platform finds, inventories, and continuously monitors individual data elements across workstations, attached and shared drives, and Microsoft 365 cloud apps.
Monitor employee interactions with sensitive data 24/7, with a modern, intuitive SaaS data security platform, offered for a one-time predictable fee.