Flexera logo
Image: Amendments to 23 NYCRR Part 500 are in effect—are you in compliance?

Cybersecurity is an ever-growing concern

Cyber criminals aren’t going away. In fact, they are increasing in number, and organizations worldwide are dealing with new and advanced threats to their infrastructure. These cybersecurity events range from data breaches exposing millions of sensitive records, to sophisticated ransomware attacks that cripple critical infrastructure, and the financial service industry is a main target.

In response to the growing sophistication of cyberattacks, on November 1, 2023, the New York State Department of Financial Services (NYDFS) updated its regulations to 23 NYCRR Part 500 on securing customer information and protecting information technology systems. In order to be compliant with the new amendments, any business required to operate under a license or similar authorization under banking law, insurance law, or financial services law and doing business in New York, is required to implement these changes by no later than April 29, 2024.

So, what are the changes? How does ITAM fit into alleviating some of these requirements, and how can you better prepare your business for future changes?

Amendments that affect ITAM

Enhanced cybersecurity policy:

The first change that involves ITAM is in the cybersecurity policy section (500.3). Along with asset inventory and device management, it is now required to cover end-of-life (EOL) management and vulnerability management.

Vulnerability management:

Under the vulnerability management section (500.5), penetration testing is now required for both inside and outside the information system’s boundaries as well as automated scans of IT systems with a manual review of any systems that are not covered by the scan. These new additions to the section are designed to help promptly inform your organization of any new security vulnerabilities and help remediate them in a timely manner by giving priority to vulnerabilities based on risk.

Detailed asset management:

In section 500.13, asset management and data retention requirements, it is now required to have a method to track key information for each IT asset, including the owner, location, classification or sensitivity, EOL date, recovery time objective (RTO), and the frequency in which the asset inventory has been updated.

EOL management:

While there is no specified section devoted purely to EOL management it is covered in section 500.13. Tracking of EOL data must be performed, and policies and procedures must be established for disposing non-public information at its EOL.

How Flexera can help

Flexera is the trusted ITV and ITAM tool of many of the top banks in the world, and nine of the top ten U.S. insurance companies. Now that Flexera has acquired another major ITAM solution in Snow Software, Flexera can bring together even more experience, even more technology data and intelligence, and even more options to fit your business.

Flexera helps you utilize your EOL/EOS data preventing your environment from encountering security and compliance risks, increased support costs, and other obsolescence issues by utilizing the world’s most trusted and comprehensive IT asset information source, Technopedia. Enrich and normalize configuration items with lifecycle and migration information, plan effectively for updates and upgrades of your IT assets to stay ahead of potential vulnerabilities, and utilize proactive patching to ensure your environments are always safe.

Flexera prioritizes vulnerabilities. Our Secunia research team provides the most accurate and reliable source of vulnerability intelligence. Benefit from software vulnerability research to drive awareness of any vulnerabilities matching your specified criteria, utilize a software vulnerability manager to identify, prioritize, and patch known vulnerabilities detected in your environment, and utilize both our vulnerability research data and public NVD data to secure your entire estate.

Not just compliance, Flexera helps you save millions on software licenses, and expensive true-up costs. By utilizing Flexera One ITAM, we can find your missing hardware and calculate even the most complex software license positions like Microsoft SQL Server, IBM Cloud Paks, or Oracle Middleware. In today’s evolving landscape you need a solution that can do more than calculate your on-premises needs, you need a solution that can handle your entire hybrid estate including containers, VMs, SaaS, and both private and public cloud instances.

Don’t wait until April 29

Don’t get caught on your back foot. These are not small updates to these regulations, the specificities listed are not easily implemented. Let Flexera assist you in preparing for the 23 NYCRR Part 500 amendments today, we can help you achieve compliance, improve your cybersecurity posture, and save you millions on software licenses.

Contact Us
Contact Us


Disclaimer: This blog is not intended to help you satisfy all legal requirements of the amendments of the law, nor cover all new amendments to the law. This blog is to help you understand at a high level some of the options and actions that may be necessary moving forward for your organization’s cybersecurity practices. For more information about the updated amendments to 23 NYCRR Part 500 please visit https://www.dfs.ny.gov/industry_guidance/cybersecurity.