NYC500: The 6 Core Functions of Your Cybersecurity Program

by Adam Abresch | Feb 21, 2017 | Cyber | 0 Comments


Last week Governor Andrew Cuomo announced new cybersecurity regulations in the state of New York that will effect all businesses under the Department of Financial Services.

NYC500 is what we call this challenging regulation that goes into effect March 1st, 2017.

One component of this regulation is your unique Cyber Security Program.

Your comprehensive Cyber Security Program must protect the confidentiality, integrity and availability of your Information Systems.

The Cyber Security program will be based on your Risk Assessment and designed to perform the following 6 core cybersecurity functions:

  • Identify
  • Defend
  • Detect
  • Respond
  • Recover
  • Report





Identifying Cyber threats begins with asking:

“What are our high-value targets?”: Organizations subject to the New York Cyber 500 regulations (NYC500) maintain, collect and transmit sensitive client, customer, and employee information. This Nonpublic Information (NPI) is an organization’s “crown jewels” and must be protected.

“Where is this information at risk?”: NPI is at risk while on an organization’s systems, while in transit and finally when the information resides on a Third Party’s System. Organizations subject to NYC500 must protect the confidentiality, integrity and availability of this Non Public Information (NPI) across the data transmission and storage lifecycle.

“How can someone get to our data?”: Once an organization identifies the type of information at risk, the next step is to determine how this information can be compromised. The three main Cyber Threat Vectors are Outside Attackers, Insider Threats and Third Party Incidents.

 Download NYC500: 6 Core Functions of a Cybersecurity Program infographic


Once an organization identifies its Cyber threats it must develop an infrastructure designed to defend against these internal and external Cybersecurity threats.

In order to protect Information Systems and Nonpublic information from unauthorized use, access or malicious acts, organizations subject to NYC500 must implement policies and procedures that defend sensitive information.



It takes 98 days for the average financial institution to detect an attacker.

Time is of the essence when a cyber event is underway and organizations will need to adopt a combination of advanced technology and best practices to successfully detect Cybersecurity Events.

Cyber events often arise out of the exploitation of both human and technological deficiencies so effective detection measures will need to address both.



Immediately upon detecting a Cyber Incident, your organizations will need to determine:

  • How did it happen?
  • When did it happen?
  • Is it still happening?
  • Who did it happen to?
  • What was accessed?

In order to mitigate the negative effects of Cybersecurity events, organizations subject to NYC500 must be able to effectively respond to identified and detected incidents.

Mobilizing an expert team to execute the organization’s Incident Response Plan is a crucial component of responding efficiently in the wake of a Cybersecurity event.

In the absence of a Breach Response Team, redirecting personnel to handle crisis management and client relations will cost organizations valuable time and resources.

 Download NYC500: 6 Core Functions of a Cybersecurity Program infographic


After responding to Cybersecurity events, organizations subject to NYC500 must begin the recovery process.

Data restoration and system-wide security updates are costly and time consuming pieces of the recovery puzzle.

In the absence of resilient recovery framework, organizations stand to prolong the exposure and exploitation of Nonpublic Information resulting in increased informational and operational losses.



In the wake of a Cybersecurity Event, organizations subject to NYC500 must then fulfill all applicable regulatory reporting obligations.

Each regulatory agency has its own set of reporting standards. In order to comply with each unique agency notification framework, organizations must have policies and procedures in place to ensure reporting compliance.

Organizations subject to NYC500 can meet the requirements of these 6 core concepts by adopting a Cybersecurity Program maintained by an affiliate.

If an organization chooses to use a Third Party or Affiliate, the Affiliate’s Cyber security must cover the Covered Entity’s Information Systems and Nonpublic and meet the requirements of the Cybersecurity Program component of the NYC500.

It is up to every organization regulated by the NYS Department of Financial Service to ensure that Cybersecurity programs protect the confidentiality, availability and integrity of Information Systems.

No business can protect themselves completely against data compromise but developing a Cybersecurity Program that addresses the 6 core Cybersecurity functions is a key component for maintaining compliance with the NYC500 and protecting Nonpublic client information.