A Study on Cybersecurity Regulation for Financial Sector:Policy Suggestion based on New York’s Cybersecurity Regulation(23 NYCRR 500)

Docheol Kim, Inseok Kim


In March 2017, the State of New York became the first state to implement regulation specific to cybersecurity for financial institutions. Unlike previous regulations regarding information security, it has set a minimum requirements to establish cybersecurity program based on risk assessment results, protect Nonpublic Information, designate of CISO, and report to regulatory entity. This paper presents a need for a new cybersecurity policy in Korea by examining newly adopted cybersecurity regulation in the United States. Finally, the paper identify policy suggestions based on the United States’s approach as they have successfully implemented the program.

Full Text:



Dixon, H., “Maintaining Liability in AML and Cybersecurity at New York’s Financial Institutions,” Penn State Journal of Law & International Affairs, Vol. 5, No. 1, pp. 73-110, 2017.

Do, H. J., “A Study on Cloud Computing for Financial Sector limited to Processing System of Non-Critical Information: Policy Suggestion based on US and UK’s approach,” The Journal of Society for e-Business Studies, Vol. 22, No. 4, pp 39-51, 2017.

Drew, K., “NYCRR History and the Process of Keeping it Up to Date: Important Information for Using this Database,” Appellate Division 4th Dept. Law Library, Rochester, NY, 2014.

Ernst & Young LLP, Cybersecurity require-ments for financial services companies, https://www.ey.com/Publication/vwLUAssets/EY-cybersecurity-requirements-for-financial-services-companies/$FILE/EY-cybersecurity-requirements-for-financial-services-companies.pdf, Feb.2017.

Federal Financial Institutions Examination Council(FFIEC), About the, https://www.ffiec.gov/about.htm, Aug. 2018.

Federal Financial Institutions Examination Council(FFIEC), Cybersecurity Assessment Tool, May 2017.

Federal Financial Institutions Examination Council(FFIEC), Information Technology Examination Handbook: Information Security, Sep. 2016.

Federal Trade Commission(FTC), Financial Institutions and Customer Information: Complying with the Safeguards Rule, Apr. 2006.

Financial Services Committee(FSC), Plan to Expand Cloud System within Financial Institutions, Jul. 2018.

Financial Services Committee(FSC), Summary of Global Financial Center Planning and Development 2017~2019 in Korea, Sep. 2017.

Financial Supervisory Services(FSS), Handbook for Regulation on Supervision of Electronic Financial Transactions, pp. 2-19, FSS, May. 2017.

Hwang, I. H., Monetary Penalty is sweeping across NY, Alert for Korean Banks, MK News, http://news.mk.co.kr/newsRead.php?sc=30000001&year=2017&no=755334, Nov. 2017.

IEEE Standards Association, GRAMM—LEACH—BLILEY ACT, http://grouper.ieee.org/groups/2600/presentations/Laws/GLBDoc.pdf, 2018.

Kim, M., Mapping of NYDFS Cybersecurity Regulations to NAIC Insurance Data Security Model Law, Johnson Lambert, 2017.

Kosseff, J., “New York’s Financial Cybersecurity Regulation: Tough, Fair, and a National Model,” Georgetown Law Technology Review, Vol. 1, No. 2, pp. 436-444, 2017.

Michelle Misko, Choosing the Right Cybersecurity Assessment Tool, TraceSecurity, https://www.nascus.org/events/cyber2016/Misko.pdf, 2016.

Mooney, J., Borden, R., and Jeanite, S., edgwick South Carolina’s New Insurance Data Security Act: Pebbles Before a Landslide?, White and Williams LLP, 2018.

New York State Department of Financial Services, 23 nycrr 500: Cybersecurity Requirements for Financial Services Companies, https://www.dfs.ny.gov/legal/regulations/adoptions/dfsrf500txt.pdf, 2017.

New York State Department of Financial Services, 23-NYCRR-500 DFS Cybersecurity Regulation, U.S. Department of the Treasury, 2017.

New York State Department of Financial Services, History, https://www.dfs.ny.gov/about/history.htm, 2018.

New York State Department of Financial Services, Who We Supervise, https://www.dfs.ny.gov/about/whowesupervise.htm, 2018.

Park, W. I., “Protection of Personal Credit Information in the Cross-border Financial Transactions,” Kyung-Hee University Law Journal, Vol. 41, No. 1, pp. 149-176, 2006.

Pruitt, J. S., Legal Alert: NY DFS Announces Proposal for Cybersecurity Rules for Financial Services Companies, Eversheds Sutherland (US) LLP, 2016.

Thomson Reuter West Law, New York Codes, Rules and Regulations, https://govt.westlaw.com/nycrr/Index?transitionType=Default&contextData=(sc.Default), 2018.

U.S. Government Publishing Office, Electronic Code of Federal Regulations, https://www.ecfr.gov/cgi-bin/text-idx?c=ecfr&sid=1e9a81d52a0904d70a046d0675d613b0&rgn=div5&view=text&node=16%3A1., 2018.

Yeandle, M., The Global Financial Centres Index 23, pp. 2-43, Z/Yen, 2018.


  • There are currently no refbacks.