How to Prepare for New York’s Cybersecurity Regulations

Partner with Interphase Systems to ensure you are compliant with the new 23 NYCRR 500 regulations quickly and efficiently.

Overview of 23 NYCRR 500 Cybersecurity Regulation

On March 1, 2017, the New York State Department of Financial Services implemented a new regulation, Cybersecurity Requirements for Financial Services Companies (23 NYCRR 500), for all financial institutions and insurance companies that operate in the state. This regulation is the first of its kind, compelling organizations to take action to protect themselves and private consumer data from cyber threats.

These requirements focus on implementing preventive and reactive policies that can help covered institutions protect themselves from malicious attacks and recover quickly and efficiently should a security incident occur. There are also mandates that require organizations to report all cyber incidents to the Superintendent of the New York Department of Financial Services. This is done to create transparency into attempted or successful cyberattacks as well as file annual reports verifying compliancy with the regulation.

Wondering if your firm is Exempt?  You can find a list of exemptions from this regulation in Section 500.19.

A Trusted Advisor to Guide You Through It – Efficiently!

Creating a robust cybersecurity program in 180 days is no easy feat. When you partner with Interphase Systems, you have the resources and cybersecurity experts you need to help you become compliant with each phase of the new regulation. There are 4 phases of this regulation that institutions must complete by March of 2019, with a first phase deadline of August 28, 2017.

We have worked with organizations in the financial industry since 1995 and understand the inner workings of your type of organization, as well as the types of sensitive data you encounter on a daily basis. Our cybersecurity team can easily navigate the complexities of creating and implementing cybersecurity policies and implementing security controls such as those required by the New York State Department of Financial Services.

Our process begins with a consultation with our cybersecurity experts, followed by an assessment of your current environment and/or existing security program. This helps us determine the extent of our assistance. Through the entire process, you can count on our independent and unbiased security experts to help get you compliant and continue with the ongoing tasks associated with the 23 NYCRR 500 Cybersecurity Regulation.  Below is a list of some of our related services:

Security Risk Assessment

Find out where things stand.  We assess  your vulnerability gaps and determine how to best meet the new regulations with what you have in place today.

Virtual Chief Information Security Officer (CISO)

We assign a Virtual CISO to work with your team and vendors so you can meet the new Cybersecurity requirements and know it is handled.

Cybersecurity Program & Policies

We assist in the creation or review of the Cybersecurity program for your organization, including policy development.

Cybersecurity Awareness & Training Program

Ensure your staff is well versed on how to prevent and protect against modern cybersecurity attacks.  We even conduct simulated phishing campaigns to ensure your staff is ready.

Incident Response Plans

We help develop a pre-planned procedure for responding to a cybersecurity breach so threats are stopped and the aftermath is dealt with quickly and properly.

Penetration Testing & Vulnerability Assessments

We identify potential risks and vulnerabilities using tools and advanced investigative techniques to uncover potential threats.

Key Actions and Timelines

August 2017

Requirements to be completed
  • Cybersecurity Policy
  • Appoint Chief Information Security Officer (CISO)
  • Access Privileges
  • Cybersecurity Personnel & Intelligence
  • Incident Response Plan
  • Notices to Superintendent

September 2018

Requirements to be completed
  • Create and Maintain Audit Trail of Transactions
  • Implement Policies & Procedures for In-House Developed Applications
  • Create and Implement Policies and Procedures for Disposal of Nonpublic Data
  • Implement Encryption of Nonpublic Information

March 2019

Requirements to be completed
  • Create and Maintain Third-Party Information Security Policy
R

Certification of Compliance

All covered institutions of this regulation must prepare and submit an Annual Certification of Compliance to the Superintendent of the New York State Department of Financial Services. The first submission date is Wednesday, February 15, 2018.  This includes all requirements of 23 NYCRR 500 that must be in place prior to this date.  Lean on Interphase as your trusted advisor to create the submission for you.

Clients We Have Worked With

Take the First Step. Schedule a Consultation.

Whether you are starting a cybersecurity program from scratch, or need an extra set of hands to help you prepare for the New York Cybersecurity Requirements, our experts can support you every step of the way. Complete the form below and we will be in touch with you shortly.

4 + 13 =