NY State Cybersecurity Regulation (23 NYCRR 500)

NY State was the first to recognize the importance of establishing and maintaining a cybersecurity program to deal with the ever-changing cyber-threat landscape. The regulation has created several categories that affect how the law is applied to your business:

  • Covered Entity / Limited Exempt - A licensed entity that qualifies for certain statutory exemptions. 
  • Covered Entity / Non-Exempt - A licensed entity that must adhere to all sections of the cybersecurity regulation.
  • Non-Covered Entity - An entity that is not required to operate under a license authorized by the Banking, Insurance or Financial Services Laws.
  • Third Party Service Providers - An entity (that may also be covered limited exempt or non-exempt) that provides services to a Covered Entity and maintains, possesses or otherwise is permitted to access Nonpublic Information through its provision of services to the Covered Entity.

LCG understands the insurance space and we know how to help you. Schedule an appointment with us now so we can determine the service that is best for you.

Self-Assessment Tools

*Click on the links below to go to the tool

  1. Learn the NY Cybersecurity regulation - (coming soon)
  2. Internal Risk Assessment Questionnaire  - (coming soon)
  3. Identify Your Third Party Service Providers - Create a list of your third party service providers so LCG can manage the due diligence process for you.
  4. Third Party Service Provider Questionnaire - Create a single, unified response to every inquiry about your cybersecurity program when you have been identified as Third Party to another business or direct your Third Party Service Providers to this questionnaire to gather the necessary due diligence (section 500.11).

Cybersecurity 360 - Everything Insurance Providers Need to Survive

*Section numbers related to 23 NYCRR 500 are noted in red.

For Limited Exempt Entities

  • Risk Assessment- A custom, fixed-fee service for Limited Exempt entities that gathers critical information to inform your cybersecurity program as required by law (500.02, 500.03, 500.09, 500.14).

For All Entities

  • Computer Forensic Insider Threat Assessment- A targeted evaluation of an employee computer to identify unauthorized data transfer (500.02, 500.03).
  • Penetration Testing- A discovery and analysis of the potentiality and severity of vulnerabilities (500.05a, 500.12, 500.15).
  • Threat Emulation- Simulation of specific adversarial threat attack sets against pre-existing defenses.
  • Social Engineering Campaigns- Evaluation of personnel vigilance and organizational awareness training against cyber-attacks.
  • Vulnerability Assessment- Examination of current defensive posture for gaps and areas for improvement (500.05b, 500.12, 500.15).
  • Wireless Assessment- Assessment of physical location wireless network security posture.
  • Physical Assessment- Assessment of physical location access controls and operational security practices.
  • Hunt Operations- Seek and destroy missions for known malicious intrusions into the environment.
  • Incident Response- Includes recovery and restoration of systems after a malicious incident has occurred (500.16). 
  • Network Forensic Analysis- Digital forensics of data integrity and transmission, usually as part of an incident response (500.16).
  • Policy Auditing- Review of company information security and operational security policies and practices (500.02, 500.03).
  • Compliance Review- Auditing of organizational adherence to regulatory compliance such as PCI-DSS, HIPAA, NIST, OWASP, etc.
  • Remediation Support- Remediation implementation support and validation, usually proceeds a Vulnerability Assessment (500.16).
  • Curriculum Development- Design, development, and implementation of cyber awareness and similar training and education program(s) (500.14).
  • Training and Education- Conduct of cyber-related training and education such as awareness and technical countermeasures (500.14).
  • Table-Top-Exercise- Gamified policies and practices review for organizations identifying strengths and weaknesses.
  • Third Party Service Provider Due Diligence Management – get assistance managing the collection and interpretation of information about your TPSPs (500.11).
  • Forensic Data Wiping– Secure wiping of computer hard drives to ensure that sensitive data cannot be recovered (500.13).



11767 Katy Freeway, Suite 515
Houston, TX 77079

Privacy Policy


Our Clients hire us because we provide honest advice, excellent customer service, and winning solutions based on experience. The best way to find out how we can help you is to call us.

Copyright 2008-2019. LCG Discovery Experts, LLC d/b/a LCG, LLC. All Rights Reserved