Title 23 NYCRR Part 500

Title 23 NYCRR Part 500 overview

In response to the significant and ever-increasing threats to the cybersecurity of information and financial systems, in 2017, the State of New York Department of Financial Services imposed a new set of cybersecurity requirements on financial institutions that are licensed or authorized to do business in the state. Title 23 New York Codes, Rules, and Regulation Part 500: Cybersecurity Requirements for Financial Services Companies is designed to protect customer data and the information technology systems of financial institutions such as state-chartered, private, and international banks, mortgage brokers, and insurance companies.

Microsoft and Title 23 NYCRR Part 500

Microsoft provides a comprehensive guide, Microsoft Cloud Services: Supporting Compliance with NYDFS Cybersecurity Requirements, for financial services regulated under Title 23 NYCRR Part 500. It explains in depth how Azure, Office 365, and Power BI cloud services support compliance with the requirements. Financial institutions that seek to operate in the global financial center of New York must meet them, so compliance is critical for many institutions.

The New York regulations require each financial institution to:

  • Develop and maintain a robust cybersecurity program starting with an assessment of the institution's specific risk profile and then designing a program that addresses them. See Microsoft Cloud Financial Services for information on engaging with Microsoft Cloud for Financial Services. Additionally, the Financial Services page of our Service Trust Portal contains country specific resources to help you better understand how to meet your global regulatory requirements.
  • Implement a comprehensive cybersecurity policy that addresses information security, data governance and classification, access controls, business continuity, and the like. Microsoft offers guidance for developing this policy with in-depth information about our certifications and risk assessments; business continuity and disaster recovery metrics; and diagnostics for logging and auditing.
  • Designate a chief information security officer (CISO) to manage the cybersecurity program and enforce policy. To help your CISO, Microsoft provides in-depth cybersecurity information about Microsoft cloud deployments through Microsoft Defender for Cloud, Office 365 Advanced Threat Analytics, and Power BI Security.
  • Monitor and test the effectiveness of its cybersecurity program: Microsoft provides information from audits of its cybersecurity practices that include continuous monitoring, periodic penetration testing, and vulnerability assessments. Customers can conduct their own tests without advance permission from Microsoft.
  • Maintain an audit trail. Built-in audit functionalities of Azure, Office 365, and Power BI customers generate information that can be used to reconstruct financial transactions and develop audit trail information.
  • Limit access to information systems that contain nonpublic information: Measures that Azure, Office 365, and Power BI offer a role-based access control (RBAC) process native to each service, strict security and access requirements for every Microsoft administrator, and audits of every request for elevated access privileges.
  • Institute procedures to assess and test the security of externally developed applications: For developers using Visual Studio, Security Rules for managed code can help ensure that application cybersecurity threats are detected and mitigated before the code is deployed.
  • Use periodic risk assessments to design and enhance cybersecurity programs: For customers, Microsoft aggregates information about security threats, provides roadmaps of change management, and regularly updates information about subcontractors. Microsoft also regularly conducts risk assessments of its own services, the results of which are available to customers.
  • Use qualified personnel to manage cybersecurity risks and oversee cybersecurity functions: Microsoft employs stringent procedures for our employee access to your customer data. If we hire subcontractors, we remain responsible for service delivery, and ensure that subcontractors fully comply with Microsoft privacy and security commitments, including requirements for handling sensitive data, background checks, and non-disclosure agreements.
  • Implement policies and procedures to ensure the security of information held by third-party service providers: Azure, Office 365, and Power BI make multi-factor authentication available for all inbound connections to company networks; implement controls, including encryption, to protect nonpublic information in transit over external networks and at rest; and offer Microsoft Online Services Terms that provide for customer notification, incident investigation, and risk mitigation for security incidents.
  • Implement data retention and deletion policies and procedures: You can always access and extract your customer data stored in Azure, Office 365, and Power BI.
  • Monitor the activity of authorized users, detect unauthorized access, and offer regular cybersecurity awareness training to employees: Azure, Office 365, and Power BI include outside-in monitoring to raise alerts about incidents, and extensive diagnostics for logging and auditing. Microsoft Virtual Academy offers online training that covers the cybersecurity of Microsoft cloud services.
  • Develop plans to respond to and recover from cybersecurity incidents: Microsoft helps you prepare for cybersecurity incidents using a defensive strategy to detect, predict, and prevent security breaches before they occur. When developing your own plans, you can draw on our incident management plan for responding to cybersecurity breaches.

Microsoft in-scope cloud platforms & services

  • Azure
  • Intune
  • Office 365

Office 365 and Title 23 NYCRR Part 500

Office 365 environments

Microsoft Office 365 is a multi-tenant hyperscale cloud platform and an integrated experience of apps and services available to customers in several regions worldwide. Most Office 365 services enable customers to specify the region where their customer data is located. Microsoft may replicate customer data to other regions within the same geographic area (for example, the United States) for data resiliency, but Microsoft will not replicate customer data outside the chosen geographic area.

This section covers the following Office 365 environments:

  • Client software (Client): commercial client software running on customer devices.
  • Office 365 (Commercial): the commercial public Office 365 cloud service available globally.
  • Office 365 Government Community Cloud (GCC): the Office 365 GCC cloud service is available for United States Federal, State, Local, and Tribal governments, and contractors holding or processing data on behalf of the US Government.
  • Office 365 Government Community Cloud - High (GCC High): the Office 365 GCC High cloud service is designed according to Department of Defense (DoD) Security Requirements Guidelines Level 4 controls and supports strictly regulated federal and defense information. This environment is used by federal agencies, the Defense Industrial Base (DIBs), and government contractors.
  • Office 365 DoD (DoD): the Office 365 DoD cloud service is designed according to DoD Security Requirements Guidelines Level 5 controls and supports strict federal and defense regulations. This environment is for the exclusive use by the US Department of Defense.

Use this section to help meet your compliance obligations across regulated industries and global markets. To find out which services are available in which regions, see the International availability information and the Where your Microsoft 365 customer data is stored article. For more information about Office 365 Government cloud environment, see the Office 365 Government Cloud article.

Your organization is wholly responsible for ensuring compliance with all applicable laws and regulations. Information provided in this section does not constitute legal advice and you should consult legal advisors for any questions regarding regulatory compliance for your organization.

Office 365 applicability and in-scope services

Use the following table to determine applicability for your Office 365 services and subscription:

Applicability In-scope services
Commercial Exchange Online Protection, Exchange Online, Office 365 Customer Portal, Office Online, Office Services Infrastructure, OneDrive for Business, SharePoint Online, Skype for Business

Frequently asked questions

What institutions are covered under this regulation?

Consult the New York Department of Financial Services Who We Supervise site to determine whether your institution is governed by this regulation.


Other Microsoft resources for financial services