What You Need to Know About the New York State Cybersecurity Regulations - 23 NYCRR 500

On March 1, 2017, New York State released new regulations, titled Cybersecurity Requirements for Financial Services Companies (23 NYCRR 500), for institutions regulated by the New York Department of Financial Services (DFS). This states that any organization overseen by the NY DFS must establish internal policies and procedures to ensure a large focus is placed on the protection of local businesses and individuals from cyberattacks.

These requirements state that all financial services, banks, and credit unions, as well as mortgage companies, insurance companies, and other entities, must establish a cybersecurity program by August 28, 2017. This includes any organization that holds any institution or branch in the state of New York.

Why This Regulation is Important

Financial institutions are a main target of cyber threats. Because of that, many financial institutions and consumers have seen significant financial losses at the hands of cybercriminals. The New York DFS designed the 23 NYCRR 500 regulation to focus on cybersecurity in the belief that heightened priority of the company and consumer data will prevent monetary loss.

All in all, this means that all financial firms headquartered or operating in New York need to either strengthen their current cybersecurity plan, or create an entire program from the ground up. If the outcome of this cybersecurity regulation is successful in New York, other states may release similar guidelines in the future.

High Level Cybersecurity Program Requirements

When reviewing or creating their cybersecurity program, financial institutions must ensure that they:

• Establish or Maintain a Cybersecurity Program
• Establish and Maintain Enterprise-wide Cybersecurity Policies
• Designate a Qualified Chief Information Security Officer (CISO)
• Perform Annual Penetration Testing and Bi-annual Vulnerability Assessments
• Train Employees on Modern-Day Cybersecurity Threats
• Perform Risk Assessments of All Third-Party Service Providers
• Maintain a Written Incident Response Plan
• Include Robust Incident Monitoring and Reporting Systems
• Submit Annual Certification of Compliance

When do these Regulations Take Effect?

An important date that is approaching quickly is August 28, 2017. This is the day that all covered entities, whether you’re based in New York, or have a branch in the state, must have a fully comprehensive cybersecurity policy in place. You must also appoint a Chief Information Security Officer, which can be an internal staff member or a Third-Party Vendor.

How to Get Started

Interphase Systems, Inc. has spent years working with organizations helping them evaluate, prepare, strengthen and execute their cybersecurity programs. Our experts know firsthand the complexities involved when successfully implementing these requirements into a current IT environment. Although this is no easy feat, it is not impossible. The question you may be asking is, “Where do I start?” when there are only months to put all of these provisions in place.

Get a baseline of where your IT security currently stands with a Cybersecurity Risk Assessment by Interphase. Through our independent and unbiased security experts, Interphase is able to provide a security gap analysis, showing you where your company is at now, compare it to where it needs to be with the new regulations, and give you a roadmap on how to get there.

Over the next few weeks, we are going to dive deeper into the different provisions within this regulation to help you understand the importance of creating a cybersecurity program. Click here to sign up for notifications of upcoming blog posts, webinars, videos and more.

Don’t Delay!

A Cybersecurity Risk Assessment is the first step towards getting compliant with 23 NYCRR 500. Call us at 610-276-5500 or complete this form to speak with one of our security experts and get your assessment scheduled today!