23 NYCRR Part 500 is law
Companies doing business in New York may no longer have a choice; New York legislation “23 NYCRR Part 500” is now law and requirements for minimum cybersecurity practices must be in place. Just this week, the grace period for the transition has ended and, as of February 15, 2018, covered entities are required to submit their certifications for review. In September of 2018, companies will be required to comply with additional cybersecurity regulations to conduct business in the State of New York.
Who is responsible for meeting the regulations?
“Any Person operating under or required to operate under a license, registration, charter, certificate, permit, accreditation or similar authorization under the Banking Law, the Insurance Law or the Financial Services Law.”
The law covers any organization that is regulated by the Department of Financial Services. This includes but is not limited to:
- Insurance companies
- Banks – private and state
- Mortgage lenders
- Financial service providers
- Other financial service lenders
What is required?
A list of cyber security requirements is outlined in 23 NYCRR Part 500. Here’s a high-level overview of items every covered entity must address:
- Section 500.2 Cybersecurity Program
- Section 500.3 Cybersecurity Policy
- Section 500.4 CISO
- Section 500.5 Penetration Testing and Vulnerability Assessment
- Section 500.6 Audit Trail
- Section 500.7 Access Privileges
- Section 500.8 Application Security
- Section 500.9 Risk Assessment
- Section 500.10 Cybersecurity Personnel and Intelligence
- Section 500.11 Third Party Service Provider Security Policy
- Section 500.12 Multifactor Authentication
- Section 500.13 Limitations on Data Retention
- Section 500.14 Training and Monitoring
- Section 500.15 Encryption and Nonpublic Information
- Section 500.16 Incident Response Plan
- Section 500.17 Notices to Superintendent
Where is this going and what does this tell us about other States?
For years the industry has self-regulated in the cybersecurity space. As we’ve seen, it has been less than effective. Cybersecurity is now mainstream and here to stay. With the new regulations we are observing a trend that the entire country will be moving towards. New York has been a pioneer in legislating cybersecurity requirements and other states are close behind.
- In North Carolina, legislators will vote this week to enact their own cybersecurity legislation which may be much further reaching than New York’s.
- Colorado is also following this trend by implementing new security regulations for Investment Advisors as well as laws that require companies to disclose breach information if a certain number of client records are compromised.
- Additional states are drawing up cybersecurity legislation similar to 23 NYCRR Part 500
Is my company doing enough?
From a technical standpoint, the legislative requirements primarily focus on items that must be included as a part of your policy. Policies dictate the guidelines you plan to follow as you approach cyber security concepts.
For example, have you had to change your password after 90 days? That’s a policy requirement defined by your IT department?
However, without proper follow through, policies are simply words on paper. It’s a necessary step to also build in enacting procedures that align with your policies.
How can Rigid Bits help?
Make cybersecurity a priority in 2018. Rigid Bits is a cybersecurity services and solutions provider with years of experience improving security programs. Our qualified and experienced staff can help you meet and understand the legislative requirements.
Many businesses are unaware of the limitations of their internal IT or 3rd Party IT providers and have vulnerabilities within their system that leave them exposed to the risk of a cyber-attack. With that in mind, we work closely with your team to provide guidance and services above and beyond what they are already doing to bring immediate value, awareness, and better protection.
Call 1-800-626-5056 or email us today to learn more about how this affects your business directly and what Rigid Bits can do to help you reduce your risk and become compliant. Our packaged solutions are designed to help your company stay secure and meet regulatory compliance requirements