How Small Businesses Can Comply with NYDFS Cybersecurity Regulation 23 NYCRR Part 500

New York State will no longer waive regulation 23 NYCRR Part 500 for businesses with fewer than 20 employees and less than $7.5 million in revenue after Nov 1, 2025.  The State instituted this regulation two years ago to ensure that the businesses it interacts with don’t open the door to cybersecurity threats.  While there are still a few exemptions, most now apply across the board. 

I  know what my fellow SMBs are thinking.  It is hard enough to compete with larger companies for these contracts; now there will be another difficult and costly hurdle to overcome! Fortunately, any managed IT Services Provider (MSP) can help you comply.  Besides, these requirements are cybersecurity best practices your business should have anyway. For those that fancy themselves tech savvy, you might even be able to do it yourself.

Understanding the Basics: What NYDFS Requires of You

Think of the regulation as a framework to build a stronger digital fortress around your business and your clients' sensitive information. Here’s a simplified look at what’s expected:

1.     Your Cybersecurity Plan: You need a written plan outlining how you'll protect your systems and data. This isn't just about software; it's about policies and procedures.

2.     Knowing Your Risks: Regularly assess where your weaknesses are. Where is your sensitive data stored? Who has access? What could go wrong?

3.     Multi-Factor Authentication (MFA): This is like adding a second lock to your digital doors. It means needing something else besides just a password to log in (like a code from your phone).

For those that fancy themselves tech savvy, you might even be able to do it yourself.

Understanding the Basics: What NYDFS Requires of You

Think of the regulation as a framework to build a stronger digital fortress around your business and your clients' sensitive information. Here’s a simplified look at what’s expected:

4.     Your Cybersecurity Plan: You need a written plan outlining how you'll protect your systems and data. This isn't just about software; it's about policies and procedures.

5.     Knowing Your Risks: Regularly assess where your weaknesses are. Where is your sensitive data stored? Who has access? What could go wrong?

6.     Multi-Factor Authentication (MFA): This is like adding a second lock to your digital doors. It means needing something else besides just a password to log in (like a code from your phone).

Understanding the Basics: What NYDFS Requires of You

For those that fancy themselves tech savvy, you might even be able to do it yourself.

Think of the regulation as a framework to build a stronger digital fortress around your business and your clients' sensitive information. Here’s a simplified look at what’s expected:

7.     Your Cybersecurity Plan: You need a written plan outlining how you'll protect your systems and data. This isn't just about software; it's about policies and procedures.

8.     Knowing Your Risks: Regularly assess where your weaknesses are. Where is your sensitive data stored? Who has access? What could go wrong?

9.     Multi-Factor Authentication (MFA): This is like adding a second lock to your digital doors. It means needing something else besides just a password to log in (like a code from your phone).

These are excellent starting points, and for very simple environments, they can provide a foundational layer of protection.

When NOT to do it yourself

If you have more than a computer or two and several employees, the time and cost of managing these requirements yourself grow very quickly. And, it will also outstrip a do-it-yourselfer’s skills even faster.  Setting up MFA may be no challenge, but how about remediating a cyber threat or setting up Identity Access Management and Role-Based Access Controls? Installing a firewall is not something a layperson should attempt. While taking initial steps yourself is commendable, understanding the depth of NYDFS requirements and the ever-changing cyber threat landscape reveals why many small businesses ultimately partner with Managed Service Providers (MSPs). MSPs have the expertise, the advanced tools, and the dedicated time to not only implement robust solutions access but also to ensure continuous compliance, allowing you to focus on what you do best: growing your business.

The Hidden Hurdles: Why DIY Gets Tricky (and Costly)

Here's where the DIY path often becomes challenging, and where the true value of professional help shines:

1. Beyond the Basics: Advanced Monitoring and Identity Access: While basic MFA is essential, truly robust identity and access management involves centralized systems, single sign-on (SSO), and continuous monitoring for unusual login patterns. Most advanced options for centralized security monitoring, sophisticated vulnerability scanning, and identity access management platforms are complex to set up and maintain, often requiring specialized expertise and significant investment in time and technology that’s simply not feasible for a non-IT expert.

2. Time is Money: Managing cybersecurity isn't a one-time task; it's continuous. Regularly updating policies, conducting deep risk assessments, monitoring logs, and staying abreast of evolving threats takes significant time away from running your actual business.

3. Keeping Up with Threats: Cyber threats and regulatory updates evolve constantly. What was secure yesterday might not be today. Without dedicated resources, it's incredibly difficult to stay current and proactive.

4. The Cost of "Good Enough": A basic DIY setup might lull you into a false sense of security. If a breach occurs due to an oversight that a more robust, professionally managed system would have caught, the financial penalties, reputational damage, and recovery costs will far outweigh the expense of proactive cybersecurity.

5. Demonstrating Compliance: Just doing the work isn't enough; you need to document it. Proving to the NYDFS that you're compliant requires meticulous record-keeping, audit trails, and reporting, which can be overwhelming to manage manually.

Brandie Kayser, Founder of Roc-IT and Fractional CISO/ CTO

Contact us for a free consultation today! info@roc-it.net

 Click here to download the full white paper