What is 23NYCRR500?

New York Department of Financial Services (DFS)'s cybersecurity regulation, 23 NYCRR 500, became effective March 1, 2017, with a two-year implementation period.

From Section 500.00 Introduction. Key items have been highlighted.

The New York State Department of Financial Services (“DFS”) has been closely monitoring the evergrowing threat posed to information and financial systems by nation-states, terrorist organizations and independent criminal actors. Recently, cybercriminals have sought to exploit technological vulnerabilities to gain access to sensitive electronic data. Cybercriminals can cause significant financial losses for DFS regulated entities as well as for New York consumers whose private information may be revealed and/or stolen for illicit purposes. The financial services industry is a significant target of cybersecurity threats. DFS appreciates that many firms have proactively increased their cybersecurity programs with great success.

It is critical for all regulated institutions that have not yet done so to move swiftly and urgently to adopt a cybersecurity program and for all regulated entities to be subject to minimum standards with respect to their programs.

The number of cyber events has been steadily increasing and estimates of potential risk to our financial services industry are stark.
Adoption of the program outlined in these regulations is a priority for New York State.


  • Centralize & maintain the entire program

  • Manage risk register, remediation tasks, & action plan

  • Maintain all documentation for the superintendent

JustProtect streamlines the compliance processes by centralizing all requirements of the the 23NYCRR500 regulatory compliance process. By including all stakeholders, JustProtect provides a holistic view into the state and status of the organization’s compliance posture.


  • Define roles

  • Conduct gap assessment

  • Manage remediation tasks & risks

23NYCRR500 requires input from members of the Board or Senior Executives, the business and IT to meet compliance. JustProtect provides automated workflows and a simple interface to ensure involvement at every level.

23 NYCRR 500 is expected to set a precedent for cybersecurity laws and regulations in other states.

Vikas Bhatia JustProtect.co



  • Inventory 3rd parties

  • Perform Assessments

  • Manage 3rd party remediation tasks & risks

500.11 requires covered entities to determine, assess and manage risks presented by 3rd parties. JustProtect can inventory, assess and manage 3rd party risks in a faction of the time taken by traditional methods.

Because New York is such a big market, [23 NYCRR 500] will have a sweeping effect on companies within the United States headquartered outside of New York, as well as companies that are headquartered outside of the United States.

Jamie Aquila JustProtect.co