Ask Reggi Your Question Now
Can you summarize 23 NYCRR Part 500?
Regulations of the Superintendent of Financial Services > Cybersecurity Requirements for Financial Services Companies
Short Summary
This legal document, part of the New York Codes, Rules and Regulations, specifically the Regulations of the Superintendent of Financial Services, establishes cybersecurity requirements for financial services companies. It mandates that covered entities must notify the superintendent within 72 hours of determining a cybersecurity event that either impacts the covered entity and requires notice to a government body, self-regulatory agency, or supervisory body, or has a reasonable likelihood of materially harming any material part of the covered entity’s normal operations. Additionally, covered entities must submit an annual written statement to the superintendent by April 15th, certifying compliance with the requirements. Records supporting this certificate must be maintained for five years and made available for inspection by the superintendent. The document also emphasizes the need for covered entities to document areas, systems, or processes that require improvement and the remedial efforts planned or underway to address them. The specific penalties for non-compliance or violation of the requirements are not specified in this document.
Whom does it apply to?
Covered entities, including their employees, agents, representatives, and designees
What does it govern?
Cybersecurity requirements for financial services companies
What are exemptions?
Exemptions based on the size of the covered entity, exemptions for employees covered by the cybersecurity program of the entity, exemptions for entities that do not operate or possess nonpublic information, exemptions for covered entities under article 70 of the Insurance Law, and exemptions for certain persons subject to Insurance Law
What are the Penalties?
No specific penalties are mentioned in the document.
Jurisdiction
New York