How to Comply With 23 NYCRR 500

In February of 2017, the New York State Department of Financial Services (NY DFS) released the updated version of their Cybersecurity Requirements for Financial Services Companies (23 NYCRR 500). The new legislation, which takes effect on March 1, reflects a growing concern in the NY DFS regarding the impact of cyber attacks on the operations of financial firms, and the potential for much greater damage to the financial system at large.

23 NYCRR 500 applies to anyone “operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law,”  with 10 or more employees, annual revenue of more than $5 million, and more than $10 million in total assets. The legislation centers on the establishment of a comprehensive cyber security program within each covered firm.

As the incident response software provider to several of New York’s largest banks and insurance companies, D3’s solution is already aligned with the new requirements of 23 NYCRR 500. In this post, we’ve detailed five of the turn-key features that can keep your financial firm compliant.

Section 500.06, Audit Trail

In order to comply with the new legislation, financial firms must retain audit trails related to cyber security events that might pose a risk to their business operations. These records must be held for at least three years. The audit trails must be designed to include the detection and response to cyber security events.

D3 is a total workflow solution that maintains a complete audit trail, from an event’s initial detection to its conclusive remediation. Available in various formats to approved users, D3 audit trails can be archived for any number of years and can be easily reviewed by, or batch uploaded to, NY DFS.

Section 500.09, Risk Assessment

The new legislation requires periodic risk assessments that inform the entirety of a firm’s cyber security programs. Risk assessments must be guided by written policies and procedures, and cover internal and external cyber security risks to the firm’s data, as well as how they will be mitigated. The assessment procedures must be updated as necessary to adapt to evolving threats and requirements.

D3’s intelligence engine acts as a centralized records management system for the cybersecurity and risk management teams. Information from SIEM, threat intelligence and incident response activities provide rich data for incident planning and risk assessments. Policies and procedures can be stored within D3 and configured into workflows, while risk assessment templates can be easily uploaded and customized as needed.

Section 500.15, Encryption of Nonpublic Information

23 NYCRR 500 requires that, based on a firm’s risk assessments, they must ensure that all nonpublic information (NPI) is protected by effective controls. Encryption of NPI both in transit and at rest is encouraged, and while alternative ‘compensating controls’ might be acceptable, the rule requires that they be reviewed annually by a firm’s CISO.

All data that passes through D3 is encrypted both in transit and at rest, protecting your firm and your customers from exposed NPI. Strong end-to-end encryption makes compliance to this rule simple, and prevents the hassle of bringing in your CISO to regularly review an alternative solution.

Section 500.16, Incident Response Plan

This rule requires firms to establish a written incident response plan for cyber security events. The plan must include clear goals; assigned roles and responsibilities; requirements for remediation of weaknesses; documentation and reporting; and evaluation and revision following a cyber security event. The rule emphasizes the importance of reiterating the plan based on lessons learned, which makes a comprehensive, full lifecycle incident management platform like D3 Security’s especially useful.

D3’s incident response platform has everything a financial firm needs to satisfy Section 500.16 of the 23 NYCRR 500. Our playbook library and custom playbook engine provide incident-specific planning and orchestration capability, as well as clear demarcations of roles and responsibilities, incident-handling stages, documentation and reporting, and a robust toolset for post-event “lessons learned”, including a dedicated root cause resolution workflow.

Section 500.17, Notices to Superintendent

The legislation includes two requirements for notifications to the superintendent. The first is an annual written statement attesting to compliance with the rules of 23 NYCRR 500. The second requirement is that firms must notify the superintendent within 72 hours of identifying a cyber security event. Any event that would merit notification to a regulator, government, or other overseeing body, as well as any event that has a reasonable likelihood of impacting firm operations, must be reported.

D3 can help you beat the 72-hour deadline by setting customized, real-time notifications to your security managers. Our two-way SIEM integrations make it possible for your SOC team to investigate relevant incidents without getting bombarded with false positives, and our reporting capabilities mean that notification of an incident can be completed in just a few clicks. Implementing an enterprise-wide incident response solution like D3 also makes annual compliance notifications much easier. All the information that needs to be reported is easily accessible in one platform, instead of being siloed in different systems and departments.


Financial firms are already subject to numerous overlapping regulatory requirements, so having to incorporate new legislation is never a welcome task. Despite the inconvenience, however, there are valuable principles at the core of 23 NYCRR 500. Stronger cyber security, risk management, and incident response is never a bad idea. For the numerous New York financial firms already using D3 for cyber incident response and information security compliance, meeting the new requirements has taken almost no additional effort, because D3 already collects all of the relevant data.

Click on the Button Below to Book a Demo , and see for yourself why so many organizations in financial services and other highly regulated industries use D3 to orchestrate incident response, connect with security technologies, and apply data-driven decisions across an enterprise-wide vision of cyber security and risk management.

Social Icon
Walker Banerd

Walker is D3 Security's Director of Content Marketing. He leads the writing of D3's blog, as well as white papers, industry briefings, and other thought leadership. Walker's expertise is translating technical concepts into easily understandable content, with a focus on software, cybersecurity, and compliance solutions.