Statutes, codes, and regulations
New York Codes, Rules and Regulations
Title 23 - FINANCIAL SERVICESChapter I - Regulations of the Superintendent of Financial Services
Part 500 - CYBERSECURITY REQUIREMENTS FOR FINANCIAL SERVICES COMPANIES
Section 500.20 - Enforcement

N.Y. Comp. Codes R. & Regs. tit. 23 § 500.20

Download
PDF
Current through Register Vol. 46, No. 45, November 2, 2024
Section 500.20 - Enforcement
(a) This regulation will be enforced by the superintendent pursuant to, and is not intended to limit, the superintendent's authority under any applicable laws.
(b) The commission of a single act prohibited by this Part or the failure to act to satisfy an obligation required by this Part shall constitute a violation hereof. Such acts or failures include, without limitation:
(1) the failure to secure or prevent unauthorized access to an individual's or an entity's nonpublic information due to noncompliance with any section of this Part; or
(2) the material failure to comply for any 24-hour period with any section of this Part.
(c) In assessing any penalty for a violation of this Part pursuant to the Banking Law, Insurance Law or Financial Services Law, the superintendent shall take into account, without limitation, factors including:
(1) the extent to which the covered entity has cooperated with the superintendent in the investigation of such acts;
(2) the good faith of the entity;
(3) whether the violations resulted from conduct that was unintentional or inadvertent, reckless or intentional and deliberate;
(4) whether the violation was a result of failure to remedy previous examination matters requiring attention, or failing to adhere to any disciplinary letter, letter of instructions or similar;
(5) any history of prior violations;
(6) whether the violation involved an isolated incident, repeat violations, systemic violations or a pattern of violations;
(7) whether the covered entity provided false or misleading information;
(8) the extent of harm to consumers;
(9) whether required, accurate and timely disclosures were made to affected consumers;
(10) the gravity of the violations;
(11) the number of violations and the length of time over which they occurred;
(12) the extent, if any, to which the senior governing body participated therein;
(13) any penalty or sanction imposed by any other regulatory agency;
(14) the financial resources, net worth and annual business volume of the covered entity and its affiliates;
(15) the extent to which the relevant policies and procedures of the company are consistent with nationally recognized cybersecurity frameworks, such as NIST; and
(16) such other matters as justice and the public interest require.

N.Y. Comp. Codes R. & Regs. Tit. 23 § 500.20

Adopted, New York State Register March 1, 2017/Volume XXXIX, Issue 09, eff. 3/1/2017
Amended New York State Register November 1, 2023/Volume XLV, Issue 44, eff. 11/1/2023