On March 1, 2017, the Department of Financial Services enacted a regulation establishing cybersecurity requirements for financial services companies, 23 NYCRR Part 500 (referred to below as “Part 500” or “the Cybersecurity Regulation”). Part 500 was amended for the first time in April 2020 to change the date of the required annual certification filing from February 15 of each year to April 15. 

Since the regulation was adopted, the cybersecurity landscape has changed tremendously as threat actors have become more sophisticated and more prevalent, cyberattacks have become easier to perpetrate (such as with ransomware as a service) and more expensive to remediate, and additional cybersecurity controls are available to manage cyber risk at reasonable cost. Moreover, the Department has found, from investigating hundreds of cybersecurity incidents, that there is a tremendous amount that organizations can do to protect themselves. As a result, Part 500 was amended again, effective November 1, 2023.

Overview of Cybersecurity Rules: Introduces the foundational aspects of the NY 500 rules, highlighting key requirements and the importance of compliance.

Social Engineering: Explores the concept of social engineering, detailing how malicious actors exploit human psychology to breach security protocols.

Ransomware: Focuses on ransomware attacks, offering insights into how they operate and strategies for prevention and response.

Phishing: Examines phishing schemes, teaching participants how to recognize and avoid falling victim to these common cyber threats.