New York Codes, Rules and Regulations
Title 23 - FINANCIAL SERVICES
Chapter I - Regulations of the Superintendent of Financial Services
Part 500 - CYBERSECURITY REQUIREMENTS FOR FINANCIAL SERVICES COMPANIES
Section 500.20 - Enforcement
Universal Citation: 23 NY Comp Codes Rules and Regs ยง 500.20
Current through Register Vol. 46, No. 39, September 25, 2024
(a) This regulation will be enforced by the superintendent pursuant to, and is not intended to limit, the superintendent's authority under any applicable laws.
(b) The commission of a single act prohibited by this Part or the failure to act to satisfy an obligation required by this Part shall constitute a violation hereof. Such acts or failures include, without limitation:
(1) the failure to secure
or prevent unauthorized access to an individual's or an entity's nonpublic
information due to noncompliance with any section of this Part; or
(2) the material failure to comply for any
24-hour period with any section of this Part.
(c) In assessing any penalty for a violation of this Part pursuant to the Banking Law, Insurance Law or Financial Services Law, the superintendent shall take into account, without limitation, factors including:
(1) the extent to which the covered
entity has cooperated with the superintendent in the investigation of such
acts;
(2) the good faith of the
entity;
(3) whether the violations
resulted from conduct that was unintentional or inadvertent, reckless or
intentional and deliberate;
(4)
whether the violation was a result of failure to remedy previous examination
matters requiring attention, or failing to adhere to any disciplinary letter,
letter of instructions or similar;
(5) any history of prior
violations;
(6) whether the
violation involved an isolated incident, repeat violations, systemic violations
or a pattern of violations;
(7)
whether the covered entity provided false or misleading information;
(8) the extent of harm to
consumers;
(9) whether required,
accurate and timely disclosures were made to affected consumers;
(10) the gravity of the violations;
(11) the number of violations and the length
of time over which they occurred;
(12) the extent, if any, to which the senior
governing body participated therein;
(13) any penalty or sanction imposed by any
other regulatory agency;
(14) the
financial resources, net worth and annual business volume of the covered entity
and its affiliates;
(15) the extent
to which the relevant policies and procedures of the company are consistent
with nationally recognized cybersecurity frameworks, such as NIST;
and
(16) such other matters as
justice and the public interest require.
Disclaimer: These regulations may not be the most recent version. New York may have more current or accurate information. We make no warranties or guarantees about the accuracy, completeness, or adequacy of the information contained on this site or the information linked to on the state site. Please check official sources.
This site is protected by reCAPTCHA and the Google
Privacy Policy and
Terms of Service apply.