23 NYCRR 500 Risk Assessment | Risk Assessment Tool

Home  »  Blog  »  Cyber Security  »  23 NYCRR...

By Bill Minahan   |   January 28, 2020   |   0 Comments

23 NYCRR 500 Risk Assessment

The risk assessment is an essential component of 23 NYCRR 500 compliance. The New York Cyber Security Regulation, which took effect in March 2017, outlines 23 sections of cyber security requirements that covered entities are legally obligated to comply with.

In fact, all but a select few of the cyber security requirements laid-out in 23 NYCRR 500 rely on reports from a thorough risk assessment. As a result, it’s critical to understand what a risk assessment is and how to take one.

For more information on the regulation, covered entities, and how to become compliant, read our checklist here.

23 NYCRR 500 Risk Assessment Clause: 500.9

23 NYCRR 500 requires covered entities to create and maintain an effective cyber security program as well as a written cyber security policy. However, before any of this, the New York Department of Financial Service (DFS) requires organizations to complete a risk assessment.

23 NYCRR 500 Risk Assessment

The objective of the 23 NYCRR 500 risk assessment is to rate an organization’s cyber security posture. Specifically, the risk assessment compiles information around your current IT infrastructure by inspecting the effectiveness of your current controls, protocols, and policies. Afterward, it compiles a list of your organization’s vulnerabilities as well as a list of solutions.

The aim of the risk assessment is to highlight any weaknesses or vulnerabilities in your network security so that any risks can be addressed, and therefore, any financial data will be kept safe. As a result, many opt for the risk assessment to be done by an unbiased third-party cyber security provider that can rate your network security objectively.

Compliance with 23 NYCRR 500 is almost entirely contingent on the initial assessment because it works as a benchmark to mark the strength of an organization’s cyber security. Afterward, an organization can create, maintain, and implement an effective cyber security program and written policy.

What is a Risk Assessment?

A risk assessment is a questionnaire that a leadership team or member must answer to the best of their ability. Different from a cyber security audit, a cyber security assessment simply rates the strength of your cyber security posture within your overall business environment at the time of your assessment.

It covers every aspect of your organization’s cyber security and then generates a score based on your risks. The risk assessment takes into consideration the size of your organization, your employee policies, authentication practices and more.

Taking a risk assessment isn’t time-consuming or daunting. In fact, it only takes roughly 10 or so minutes to complete.

In short, conducting periodic risk assessments gives your organization, customers, and DFS assurance in your cyber security. Likewise, it helps protect your organization from the financial consequences of cyber attacks.

Conduct a Risk Assessment for 23 NYCRR 500

If your organization is ready to conduct a risk assessment and begin compliance with 23 NYCRR 500, then use our automated risk assessment tool.

Our automated tool is free to use and generates an objective and thorough report based on your network’s risk. Our assessment tool caters toward 23 NYCRR 500 compliance. Furthermore, DFS accepts it as a valid completion of your risk assessment.

Afterward, our cyber security experts can walk you through your report and answer any questions you may have. Additionally, aNetworks can help you fulfill further requirements related to your cyber security program and policies.


Furthermore, if you have any questions regarding the risk assessment, schedule a meeting with one of our analysts. Otherwise, you can call us directly at 855-459-6600.

Finally, you can always find us on Twitter, LinkedIn, and Facebook.