Overview of 23 NYCRR 500 Cybersecurity Regulation
On March 1, 2017, the New York State Department of Financial Services implemented a new regulation, Cybersecurity Requirements for Financial Services Companies (23 NYCRR 500), for all financial institutions and insurance companies that operate in the state. This regulation is the first of its kind, compelling organizations to take action to protect themselves and private consumer data from cyber threats.
These requirements focus on implementing preventive and reactive policies that can help covered institutions protect themselves from malicious attacks and recover quickly and efficiently should a security incident occur. There are also mandates that require organizations to report all cyber incidents to the Superintendent of the New York Department of Financial Services. This is done to create transparency into attempted or successful cyberattacks as well as file annual reports verifying compliancy with the regulation.
Wondering if your firm is Exempt? You can find a list of exemptions from this regulation in Section 500.19.
A Trusted Advisor to Guide You Through It – Efficiently!
We have worked with organizations in the financial industry since 1995 and understand the inner workings of your type of organization, as well as the types of sensitive data you encounter on a daily basis. Our cybersecurity team can easily navigate the complexities of creating and implementing cybersecurity policies and implementing security controls such as those required by the New York State Department of Financial Services.
Our process begins with a consultation with our cybersecurity experts, followed by an assessment of your current environment and/or existing security program. This helps us determine the extent of our assistance. Through the entire process, you can count on our independent and unbiased security experts to help get you compliant and continue with the ongoing tasks associated with the 23 NYCRR 500 Cybersecurity Regulation. Below is a list of some of our related services:
Virtual Chief Information Security Officer (CISO)
Key Actions and Timelines
- Cybersecurity Policy
- Appoint Chief Information Security Officer (CISO)
- Access Privileges
- Cybersecurity Personnel & Intelligence
- Incident Response Plan
- Notices to Superintendent
- CISO Begins Reporting to Board of Directors
- Begin Annual Penetration Testing and Vulnerability Assessments
- Commencement of Periodic Risk Assessments
- Implement Multi-Factor Authentication
- Provide Cybersecurity Training for All Personnel
- Create and Maintain Audit Trail of Transactions
- Implement Policies & Procedures for In-House Developed Applications
- Create and Implement Policies and Procedures for Disposal of Nonpublic Data
- Implement Encryption of Nonpublic Information
- Create and Maintain Third-Party Information Security Policy
Certification of Compliance
All covered institutions of this regulation must prepare and submit an Annual Certification of Compliance to the Superintendent of the New York State Department of Financial Services. The first submission date is Wednesday, February 15, 2018. This includes all requirements of 23 NYCRR 500 that must be in place prior to this date. Lean on Interphase as your trusted advisor to create the submission for you.