23 NYCRR 500 Incident Response Guidelines

What every financial organization needs to know about the NY Department of Financial Services’ regulation

The New York Department of Financial Services (NYDFS) implemented 23 NYCRR 500 in 2017 to address cybersecurity risks among financial institutions and to protect consumers. The regulation details cybersecurity requirements financial institutions operating in the state must meet as well as guidelines for assessing and responding to cybersecurity risks. The department has released continued guidance several times since 2017, making it critical for every organization in the financial space to stay on top of 23 NYCRR 500.

Who Must Comply with 23 NYCRR 500

Any organization regulated under the Department of Financial Services, as well as third-party service providers to regulated entities (regardless of that provider’s regulation status), that engage in any financial business in the state of New York must comply with 23 NYCRR 500.

Organizations subject to compliance include…
  • State-chartered banks
  • Private bankers
  • Licensed lenders
  • Mortgage companies
  • Trust companies
  • Service providers
  • Insurance companies licensed to operate in New York
  • Foreign banks licensed to operate in New York
Exempt organizations include those that…
  • Employ under 10 people
  • Produced less than $5 million in gross annual revenue from New York operations in each of the last three fiscal years
  • Hold less than $10 million in year-end total assets
  • Do not directly or indirectly operate, maintain, or control information systems and are not required to access, generate, receive, or possess nonpublic information

Automate New York regulations with the BreachRx platform

Tailor your incident response plan in minutes so you know exactly what to do by when and take the crisis out of your incident response

How 23 NYCRR Gets Enforced

As of May 2019, a new office under NYDFS known as the “Cybersecurity Division” is responsible for enforcing 23 NYCRR 500.

What Enforcement Powers Exist?

What are Penalties for Non-Compliance?

What Other Responsibilities Exist?

The Cybersecurity Division can issue a monetary penalty and guidance for program improvements. It can also file charges to be settled in a hearing.Per Section 408 of New York’s Financial Services Law, non-compliance with 23 NYCRR 500 carries a penalty of up to $1,000 per violation.The Cybersecurity Division can also advise on examinations, conduct investigations, and share information about new threats.

Cybersecurity Requirements Under 23 NYCRR 500

23 NYCRR 500 includes 23 sections of guidelines for improving cybersecurity and assessing risks. Some of the major requirements under this regulation include:

  • Introducing a cybersecurity program, including data protection policies
  • Appointing a Chief Information Security Officer
  • Conducting regular penetration testing and bi-annual risk assessments
  • Maintaining an audit trail of data
  • Developing a written incident response plan

Organizations must also submit a written statement to the NYDFS superintendent annually by April 15 certifying their compliance with 23 NYCRR 500 and then maintain all records, schedules, and data supporting this compliance for five years. Any efforts to improve or update cybersecurity programs or systems must be documented in this notification.

Incident Response Measures Required by 23 NYCRR 500

23 NYCRR 500 requires organizations to introduce a written incident response plan so they are prepared to jump into action at any time following a cybersecurity event.

What is a cybersecurity event?Any act or attempt (regardless of whether or not it’s successful) to gain unauthorized access to, disrupt, or misuse an information system or information stored on that system.
What needs to be included in the incident response plan?
  • Process for responding to a cybersecurity event
  • Goals of the incident response plan
  • Definitions for roles, responsibilities, and decision-making authority for anyone involved in incident response measures
  • Guidelines for external and internal communications regarding the incident
  • Requirements for how to remediate weaknesses identified in information systems or controls
  • Guidelines for how to document the cybersecurity event and incident response efforts
  • Process for evaluating and revising the incident response plan after a cybersecurity event
What type of notification is required?Organizations must notify the NYDFS superintendent if they experience a cybersecurity event that:

  • Requires notification to any government, supervisory, or self-regulatory body under other regulations
  • Has a reasonable likelihood of materially harming any part of normal operations
How should organizations notify consumers?Notifications to consumers must follow the guidelines set forth by New York’s information security breach and notification law.

Examples of Cybersecurity Events That Can Lead to Incident Response Under 23 NYCRR 500

Any cybersecurity event that affects information systems or disrupts business operations requires incident response measures under 23 NYCRR 500. Common examples include:



An attack that uses malware to steal data and then hold that information captive in exchange for money. Even if the organization retrieves the data, information was exposed and systems were compromised.

Phishing malware or trojan


An attack in which threat actors trick users into exposing sensitive data, like passwords or nonpublic account information, by posing as a legitimate user and simply asking for it or by sharing a malicious link.

watering hole

Drive-By Download

An attack that installs a malicious program on a computer without the user’s consent by hiding it inside a legitimate website or app. This gives attackers access to hijack the device, spy on the user’s activity, or steal data.

How Organizations Can Prepare to Comply with 23 NYCRR 500

23 NYCRR 500 recognizes that cybersecurity events are inevitable and aims to keep organizations prepared to detect and respond to these events by requiring regular assessments and a written incident response plan. To meet these requirements, organizations must take a proactive stance by thinking through three essential phases of incident response:


Have a written plan that documents how teams will respond and who will be involved when a cybersecurity event occurs. Specifically, organizations should review the requirements for the plan and response measures outlined by 23 NYCRR 500 (plus any other relevant laws and contracts), and then document a plan that meets these requirements.


Be prepared to notify the NYDFS superintendent of a cybersecurity event within 72 hours. This response includes identifying and investigating the cybersecurity event (when and how it occurred, the data involved, and the impact on business operations), remediating the issue to protect against future events, and issuing the appropriate notifications as required.

Ongoing Management

Regularly evaluate cybersecurity program effectiveness and report on it annually. This ongoing management requires organizations to introduce a centralized dashboard as a single source of truth for all monitoring, reporting, and incident response plans and to align key stakeholders on response plans so they know their responsibilities when an event occurs.

Proactive Incident Response Must be a Priority

Proactive preparation for cybersecurity and incident response are central to 23 NYCRR 500, as the law requires financial institutions to introduce certain security measures, regularly evaluate the effectiveness of those measures, and have documented response plans in place.

Achieving this proactive stance means organizations must prepare for incident response by outlining clear actions they’ll take when a cybersecurity event occurs and assigning responsibility for each of those efforts. It also requires keeping tabs on updates to regulations like 23 NYCRR 500 and the NY SHIELD Act, and adjusting plans as needed.

Supercharge your incident response strategy with the BreachRx platform

Stop using spreadsheets and documents to keep track of the tasks you need to accomplish during an incident response.