Lately, we are approached by many insurance companies located in the state of New York asking for assistance with the 23 NYCRR Part 500 regulation compliance. Like in many other cases, the first big step an organization must take is to understand the practical meaning of the regulatory requirements.


For this reason, we built a clear checklist that covers the actions you need to take to achieve NYCRR Part 500 compliance with short and clear explanations.


What is the 23 NYCRR Part 500 regulation:

The 23 NYCRR Part 500 is a regulation designed by the New York State Department of Financial Services (DFS) to promote costumer's information IT system security of regulated entities. It is currently the most comprehensive cybersecurity regulation in the US. This regulation demands financial companies to implement a framework that resembles the PCI DSS security framework.


The regulation was first published on March 1, 2017. Regulated entities were obligated to prove compliance with the regulation by June 2020. All insurance companies that operate in New York State required to comply. As a result, Part 500 can consider as the cybersecurity standard for insurance companies in the entire US.


Recently, the New York DFS started to enforce this regulation, charging insurance companies for regulatory violations. Fines over regulatory violations can cost up to $250,000 or one percent of total banking assets. Therefore, insurance companies start to lift the gear and pay closer attention to their compliance state.


What should I do to achieve 23 NYCRR compliance:

  1. Know your network:

Make sure you have an updated inventory of each asset, its type, version, and role. Especially ones that have access to non-public information. Assets should be categorized as facing in and facing out of the network. This is the first step before starting to think about the required practice for keeping these assets safe.


  1. Write security policies for each type of asset:

Each type of environment and asset should have a unique policy, suitable for the specific functions it should have and the unique threats that it faces.


Policies should vary in different levels:

Type: endpoints and servers should have different policies.

Environment: servers in DMZ and Active Directory should have different policies.

Role: exchange server should have a different policy than a web server.

Version: Windows 2019 server should have a different policy than Windows 2016.

CIS Benchmarks – What are They and How to Use Them


  1. Use tools and methods to find possible vulnerabilities threatening your network:

Use scanners and penetration tests to keep an updated assessment of your organization's position regarding known and unknown vulnerabilities. Continuously monitor the compliance posture of your assets and their exposure to vulnerabilities.

Perform a bi-annual vulnerability assessment using scanners to assess your assets’ exposure to a known vulnerability.

Perform an annual penetration testing according to identified risks and to the risk assessment, you perform.


  1. Maintain an audit trail based on the risk assessment:

You should maintain at least three years of records regarding financial transactions of your operations and obligations.

You should maintain at least five years of records regarding cybersecurity events that have a reasonable probability to harm information security.


  1. Control information access privileges:

Limit users’ access to non-public information and users' ability to perform tasks that are not required in their role. In addition, use different tactics to prevent privileges escalation. Schedule a periodic review to check no errors were made signing new users or to detect malicious activity in a user account.


  1. Ensure secured development practices:

Write specific guidelines and procedures to standardize a secure development practice for the in-house development process. In addition, write a procedure of evaluating and assessing the development process security in externally developed apps.


Both procedures should be reviewed and updated periodically according to the CISO's demands.


  1. Perform a periodic Risk Assessment:

Risk Assessment should be done periodically to address the changes made in IT systems, the data stored in them, and the organization's operations. It should cover newly discovered cyber threats, new technologies being used, nonpublic information confidentiality and integrity, and the effectiveness of the used security controls to protect the organization's nonpublic information and IT systems. The risk assessment should be documented and there should be criteria for defining risks and how they should be addressed.


  1. Dedicate the right personas for the task:

First, you should designate a qualified individual to be the organization's Chief Information Security Officer (CISO). The CISO will be responsible for implementing and enforcing the cybersecurity policy in the organization. The CISO can be either 'in-house' or a third-party service provider.


Second, separate personnel, affiliate, or a third party should be dedicated to managing the organization's cybersecurity risks and to perform or oversee the performance of cybersecurity activities.


You should make sure that these two functions are performed by trained people, updated with the latest methodologies and risks.


  1. Make sure that information held by third-party service providers is protected:

Write and implement a security policy that ensures the security of information that is accessible or held by third-parties service providers. Such policy should base on the risk assessment and should address the following:

  1. Identifying who has access to or holds the information and assessing their risks.
  2. Making sure they perform minimum activities to protect the information.
  3. Setting a due diligence process to make sure they use cybersecurity practices.
  4. Checking periodically what risks they face and whether they take action to protect the information.
  5. Making sure they use best practices for access control (including Multi-Factor Authentication) and encryption.
  6. Demanding to be notified in any case of a cybersecurity event that may expose your non-public information.


  1. Use Multi-Factor Authentication:

Use Multi-Factor Authentication or a different method if it suits better your risk assessment. Authentication methods should be utilized for any user accessing the organization's internal network from an external network. Any different practice used should be approved in writing by the CISO only if it is equivalent or more secure than the regular practice.


  1. Limit which data you store:

Set periodic procedures for secure disposal of non-public information that is no longer necessary (only if this information is not required to be retained by law or regulation).


  1. Monitor and educate users:

Monitor authorized user activity to detect unauthorized access or activity. In addition, provide regular cybersecurity awareness training to the employees, updated with the latest risks and events.


  1. Encrypt your data:

Use security controls such as encryption to protect your data both in transit over an external network and at rest. If it is impossible to encrypt the data in one of these scenarios, use different security controls, approved by the CISO, to protect the information.


The feasibility of the encryption and the effectiveness of other controls should be reviewed by the CISO at least once a year.


  1. Establish an Incident Response Plan:

Write a policy designed to respond and recover from a cybersecurity event. Such policy should cover the following areas:

  1. The internal process for responding to such an event.
  2. What are the goals for the incident response plan?
  3. Defining responsibilities and decision-making authorities.
  4. External and internal communication and information sharing.
  5. Understanding and identifying actions required for remediation of the identified weaknesses.
  6. Documenting and reporting on the event and the response activities.
  7. Re-evaluating the incident response plan when needed.


How can CalCom help you achieve compliance?

CalCom hardening automation tools and years of experience in hardening will help you establish the right policies for your organization according to the type of asset (servers and endpoints), their role, environment, and versions. CalCom's solutions will automatically implement the policies in your network, saving you the need to test the policies and eliminating the risk for outages. And finally, CalCom's solutions will monitor your network to prevent configuration drifts and make sure you maintain the compliance posture of your ever-changing dynamic network.









You might be interested