concentric logo

A Technical Explainer on 23 NYCRR 500 and How Concentric AI can help

May 31, 2023
Mark Stone
4 min read

Businesses are obligated to protect sensitive data not just for the security of their operations and customer’s privacy, but also to stay aligned with evolving data protection laws and regulations. New regulations are coming into effect all the time. New York has implemented the New York State Department of Financial Services’ (NYDFS) Cybersecurity Requirements for Financial Services Companies, also known as 23 NYCRR 500. 

As the threat landscape escalates, keeping pace with regulations like NYCRR 500 is not just about compliance but a step towards bolstering your organization’s defenses against potential data breaches and financial system threats. 

In 2017, the State of New York Department of Financial Services took a bold step and introduced a comprehensive set of cybersecurity requirements for financial institutions operating under their jurisdiction. 

These requirements, outlined in Title 23 of the New York Codes, Rules, and Regulations Part 500, or simply NYCRR 500, represent another milestone in securing customer data and IT systems of financial institutions. 

NYCRR 500 Data security requirements  

Under this recent state regulation, supervised entities are mandated to assess their cybersecurity risk profiles and deploy a comprehensive strategy that acknowledges and mitigates their risk. To help organizations prevent data breaches, specific regulatory minimum standards have been established.  

Here are the key high-level data security requirements for financial organizations: 

  • Establish risk-oriented minimum standards for IT systems, which must include data protection and encryption, access control mechanisms, and penetration testing
  • Ensure that the cybersecurity program is budgeted appropriately, managed by a Chief Information Security Officer (which could be a third-party service provider), and executed by experienced cybersecurity professionals
  • Implement robust incident response plans that preserve data to respond to a data breach and notifying the NYDFS of any significant events in a timely manner
  • Assure accountability through the identification and documentation of deficiencies, remediation plans, and certifications of annual compliance 

How Concentric can improve your organization’s compliance with NYCRR 500 

Concentric’s AI-based solution helps organizations in the financial industry meet the stringent requirements of NYCRR 500.   

While the general requirements outlined above are quite broad, it’s more prudent to explore some of the more specific NYCRR 500 requirements and how Concentric can help you stay compliant.  

Limiting Access to Information Systems  

One of the key components of NYCRR 500 is limiting access to information systems that contain private data. Concentric enables you to easily manage access controls, ensuring that only authorized individuals have access to sensitive data — no matter where it resides: in the cloud, on premises, in structured or unstructured format. You can mitigate these access risks as they happen, whether it’s fixing access control issues or permissions, disabling sensitive file sharing with a third party, or blocking an attachment on a messaging service.  

Implement policies and procedures to ensure the security of information held by third-party service providers   

NYCRR 500 also mandates that businesses implement policies and procedures to secure data held by third-party service providers. Concentric’s multifaceted approach of classifying data, assessing risk and managing access controls goes a long way in helping you secure data held by a third party.   

By accurately classifying financial data based on its sensitivity and importance, you can clearly define policies in which only the appropriate data is shared with each third party, following the principle of least privilege.  

When it comes to data risk, Concentric can identify potential risks associated with data sharing, such as inappropriate access or sharing permissions.  

Concentric securely scans unstructured data wherever it’s stored. We support Office365, Slack, Microsoft Teams, Snowflake, e-mail, Amazon S3, OneDrive, Google Drive, Box, Dropbox, SharePoint Online, Windows file shares, PostgreSQL, MySQL, and more. With continuous autonomous monitoring, Concentric ensures your data is constantly protected and compliant. 

Data Retention and Deletion Policies  

With Concentric, you can deploy data retention and deletion policies that comply with NYCRR 500. By identifying the type of data and its associated sensitivity level, you can pinpoint any relevant data that is subject to specific retention and deletion policies wherever it lies. 

Because our solution is always measuring risk, you can highlight instances where data retention and deletion practices deviate from established norms, which can highlight potential non-compliance or data security risks.  

Equally important, Concentric can also help organizations with data lifecycle management and managing data lineage. You’ll easily be able to manage all versions of your sensitive financial data and pinpoint which iterations are newer and which are older. Plus, you’ll have a clear view of where each variation of all sensitive financial data resides across your repositories — whether it’s in the cloud or on-premises, structured or unstructured. 

Monitoring User Activity and Detecting Unauthorized Access  

Continuously monitoring data for risk is not only difficult but time-consuming for IT and security teams. As adherence to data protection laws like NYCRR 500 becomes the norm, the resources required to write complex rules and deploy policies on-the-fly can be overwhelming.  

With Concentric, you can autonomously discover how your sensitive financial data is being used, who it is being shared with, and who accessed it. You can quickly and accurately identify risk from inappropriate permissioning, risky sharing, unauthorized access or potential data misuse.   

Not only that, but you can also detect any deviations from normal data usage patterns, including unusual or unexpected data access. Unauthorized access can be remediated in real-time, enabling quick incident response to mitigate potential damage. 

Easy to deploy without using rules or regex 

What’s truly remarkable about everything we’ve discussed here is that Concentric can reduce risk and protect your sensitive data, we enable you to do this all without upfront policies, rules or regex, and deploying the solution won’t require large teams to operationalize. 


Want to see for yourself, with your own data, how Concentric can help you with NYCRR 500 compliance? Book a demo today.   




Libero nibh at ultrices torquent litora dictum porta info [email protected]

Getting started is easy

Start connecting your payment with Switch App.