Be Ready for 2025 Regulatory Requirements

 

Banks and Insurance companies in New York are grappling with the complexities of 23 NYCRR Part 500, a challenging cybersecurity regulation that demands comprehensive and nuanced security measures. The primary hurdle for these organizations is translating the regulatory language into actionable, practical steps that meaningfully enhance their cybersecurity posture.

 

May 1, 2025 Regulations for system hardening

 

  • 500.5: Automated scans and penetration testing of information systems, vulnerability assessments and remediation of vulnerabilities.

 

  • 500.7: Restrict, review, and promptly update user access while enforcing secure password policies.

 

  • 500.14: Implement risk based policies and  procedures and controls designed to monitor the activity of authorized users and detect unauthorized access, an endpoint detection and response solution, and centralized monitoring.

 

For this reason, we built a clear checklist that covers the actions you need to take to achieve NYCRR Part 500 compliance with short and clear explanations. However, to ensure consistent and efficient implementation of these actions, we recommend leveraging an automated hardening solution. Such a solution minimizes human error, speeds up the compliance process, and provides robust documentation for audits.

 

What is the 23 NYCRR Part 500 regulation

 

23 NYCRR Part 500 regulation establishes cybersecurity requirements for financial institutions to safeguard sensitive customer information and maintain the integrity of IT systems within New York’s financial services sector. This regulation demands financial companies to implement a framework that resembles the PCI DSS security framework.

 

All banks and insurance companies that operate in New York State are required to comply. As a result, Part 500 can be consideredas the cybersecurity standard for banks and insurance companies in the U.S.

 

Who does 23 NYCRR 500 apply

 

A covered entity under 23 NYCRR 500 refers to any organization that operates under, or is required to operate under, a DFS license (Department of Finance), registration, charter, or is otherwise regulated by the DFS.

 

There is a large range of financial services providers including:

  • Banks
  • Credit unions
  • Mortgage companies
  • Insurance companies
  • Investment companies
  • Health insurers
  • Money transmitters
  • Premium finance agencies

 

What should I do to achieve 23 NYCRR Part 500 compliance

 

According to 23 NYCRR 500, financial institutions are required to:

  • Develop and implement a comprehensive cybersecurity program.
  • Appoint a qualified Chief Information Security Officer to oversee cybersecurity efforts.
  • Conduct periodic penetration testing and vulnerability assessments to identify and mitigate risks.
  • Maintain detailed audit trails to facilitate incident investigation and compliance monitoring.
  • Implement multi-factor authentication to strengthen access controls.
  • Encrypt sensitive data both at rest and in transit.
  • Develop and maintain a robust data breach notification plan to respond effectively to security incidents.

 

23 NYCRR Part 500 second amendment

 

Effective November 1, 2023, the second amendment to 23 NYCRR 500 introduced additional requirements, including:

 

  • Boards and senior officers must be knowledgeable about cybersecurity to effectively oversee their organizations.
  • Covered entities must annually certify compliance or report significant non-compliance to the NYDFS Superintendent.
  • Risk assessments must be continually updated to reflect changes in the organization, technology, or threat environment.
  • Annually manual and automated scans of information systems and Bi-annually vulnerability assessments.
  • Engage qualified cybersecurity personnel, whether internal, affiliate, or third-party, to manage cybersecurity risks and oversee core cybersecurity functions.
  • Written policies to maintaine accurate and documented asset inventory
  • Implement a written policy requiring industry-standard encryption to protect nonpublic information both in transit and at rest.
  • Notice of compliance or certification submitted annually by April 15th covering the previous years compliance and a remediation timeline or confirmation that remediation has been completed

 

 

23 NYCRR Part 500 Covered Entities Timeline

23 NYCRR Part 500 Amendment Compliance Checklist

 

  1. Know your network:

  • Make sure you have an updated inventory of each asset, its type, version, and role. Especially ones that have access to non-public information. Assets should be categorized as facing in and facing out of the network. This is the first step before starting to think about the required practice for keeping these assets safe.

 

2. Write security policies for each type of asset:

  • Each type of environment and asset should have a unique policy, suitable for the specific functions it should have and the unique threats that it faces.
  • Policies should vary in different levels:
    • Type: endpoints and servers should have different policies.
    • Environment: servers in DMZ and Active Directory should have different policies.
    • Role: exchange server should have a different policy than a web server.
    • Version: Windows 2019 server should have a different policy than Windows 2016.

 

  1. Use tools and methods to find possible vulnerabilities threatening your network:

  • Use scanners and penetration tests to keep an updated assessment of your organization's position regarding known and unknown vulnerabilities. Continuously monitor the compliance posture of your assets and their exposure to vulnerabilities.
  • Perform a bi-annual vulnerability assessment using scanners to assess your assets’ exposure to a known vulnerability.
  • Perform an annual penetration testing according to identified risks and to the risk assessment, you perform.

 

  1. Maintain an audit trail based on the risk assessment:

  • You should maintain at least three years of records regarding financial transactions of your operations and obligations.
  • You should maintain at least five years of records regarding cybersecurity events that have a reasonable probability to harm information security.

 

  1. Control information access privileges:

  • Limit users’ access to non-public information and users' ability to perform tasks that are not required in their role. In addition, use different tactics to prevent privileges escalation. Schedule a periodic review to check no errors were made signing new users or to detect malicious activity in a user account.

 

  1. Ensure secured development practices:

  • Write specific guidelines and procedures to standardize a secure development practice for the in-house development process. In addition, write a procedure of evaluating and assessing the development process security in externally developed apps.
  • Both procedures should be reviewed and updated periodically according to the CISO's demands.

 

  1. Perform a periodic Risk Assessment:

  • Risk Assessment should be done periodically to address the changes made in IT systems, the data stored in them, and the organization's operations. It should cover newly discovered cyber threats, new technologies being used, nonpublic information confidentiality and integrity, and the effectiveness of the used security controls to protect the organization's nonpublic information and IT systems. The risk assessment should be documented and there should be criteria for defining risks and how they should be addressed.

 

  1. Dedicate the right personas for the task:

  • First, you should designate a qualified individual to be the organization's Chief Information Security Officer (CISO). The CISO will be responsible for implementing and enforcing the cybersecurity policy in the organization. The CISO can be either 'in-house' or a third-party service provider.
  • Second, separate personnel, affiliate, or a third party should be dedicated to managing the organization's cybersecurity risks and to perform or oversee the performance of cybersecurity activities.
  • You should make sure that these two functions are performed by trained people, updated with the latest methodologies and risks.

 

  1. Make sure that information held by third-party service providers is protected:

  • Write and implement a security policy that ensures the security of information that is accessible or held by third-parties service providers. Such policy should base on the risk assessment and should address the following:
  1. Identifying who has access to or holds the information and assessing their risks.
  2. Making sure they perform minimum activities to protect the information.
  3. Setting a due diligence process to make sure they use cybersecurity practices.
  4. Checking periodically what risks they face and whether they take action to protect the information.
  5. Making sure they use best practices for access control (including Multi-Factor Authentication) and encryption.
  6. Demanding to be notified in any case of a cybersecurity event that may expose your non-public information.

 

  1. Use Multi-Factor Authentication:

  • Use Multi-Factor Authentication or a different method if it suits better your risk assessment. Authentication methods should be utilized for any user accessing the organization's internal network from an external network. Any different practice used should be approved in writing by the CISO only if it is equivalent or more secure than the regular practice.

 

  1. Limit which data you store:

  • Set periodic procedures for secure disposal of non-public information that is no longer necessary (only if this information is not required to be retained by law or regulation).

 

  1. Monitor and educate users:

  • Monitor authorized user activity to detect unauthorized access or activity. In addition, provide regular cybersecurity awareness training to the employees, updated with the latest risks and events.

 

  1. Encrypt your data:

  • Use security controls such as encryption to protect your data both in transit over an external network and at rest. If it is impossible to encrypt the data in one of these scenarios, use different security controls, approved by the CISO, to protect the information.
  • The feasibility of the encryption and the effectiveness of other controls should be reviewed by the CISO at least once a year.

 

  1. Establish an Incident Response Plan:

  • Write a policy designed to respond and recover from a cybersecurity event. Such policy should cover the following areas:
    1. The internal process for responding to such an event.
    2. What are the goals for the incident response plan?
    3. Defining responsibilities and decision-making authorities.
    4. External and internal communication and information sharing.
    5. Understanding and identifying actions required for remediation of the identified weaknesses.
    6. Documenting and reporting on the event and the response activities.
    7. Re-evaluating the incident response plan when needed.

 

How can CalCom help you achieve compliance?

 

CalCom hardening automation tools and years of experience in hardening will help you establish the right policies for your organization according to the type of asset (servers and endpoints), their role, environment, and versions.

 

By understanding the pressures faced by CISOs, we can proactively support your server security compliance efforts through automation, clear communication, and collaborative solutions. CalCom's solutions will automatically implement the policies in your network, saving you the need to test the policies and eliminating the risk for outages. And finally, CalCom's solutions will monitor your network to prevent configuration drifts and make sure you maintain the compliance posture of your ever-changing dynamic network.

You might be interested