The New York State Department of Financial Services (NYSDFS) has issued an updated version of its proposed Cybersecurity Requirements for Financial Services Companies, known as 23 NYCRR 500.
The recently unveiled regulation update comes following the mandates original publication earlier this year in March. These guidelines require banks, insurers and other financial service companies regulated by the NYDFS to set up a cybersecurity program aimed at protecting consumer information from being compromised or stolen.
Who Should be Paying Attention? Getting to Know the Industries Impacted by 23 NYCRR 500
This NYDFS regulation applies to any New York State business who processes or holds personally identifiable information to implement adequate security measures to protect personal data loss. This includes all New York State insurance companies, banks and other regulated financial service institutions including accounting agencies, wealth management companies, and non-US bank branches.
The regulation is wide-sweeping, will impact Wall St. and at least 1900 organizations with combined assets valued at 2.9 trillion. Plain and simple, if you provide a service or serve as a contract vendor in any of these industries, your business will be subject to these rules.
The NYDFS refers to these organizations as Covered Entities under the regulation and has outlined clear and dated compliance deadlines. Since March, New York insurance and finance organizations have been watching closely and working swiftly to ensure cybersecurity infrastructure and planning is up to snuff with 23 NYCRR 500 provisions.
The 23 NYCRR 500 Timeline: Important Dates in the Regulation’s Roll Out
For impacted business, here’s a timeline of 23 NYCRR 500 roll out dates:
- March 1, 2017 – Original 23 NYCRR 500 regulation takes effect.
- August 28, 2017 – 180-day transitional period ends. Covered Entities are required to comply with requirements of 23 NYCRR 500 unless otherwise specified.
- February 15, 2018 – Covered Entities are required to submit the first certification under 23 NYCRR 500.17(b) on or prior to this date.
- March 1, 2018 – One-year transitional period ends. Covered Entities are required to comply with the requirements of sections 500.04(b), 500.05, 500.09, 500.12 and 500.14(b) of 23 NYCRR 500.
- September 3, 2018 – Eighteen-month transitional period ends. Covered Entities are required to comply with the requirements of sections 500.06, 500.08, 500.13, 500.14(a) and 500.15 of 23 NYCRR 500.
- March 1, 2019 – Two-year transitional period ends. Covered Entities are required to comply with the requirements of 23 NYCRR 500.11.
Breaking Down the Regulation: What You Should Know About 23 NYCRR 500
23 NYCRR 500 was derived from National Institute of Standards & Technology (NIST) standards. The regulation holds Covered Entities strictly accountable for protecting client data – both in transit and at rest, through strategic security, data storage, and encryption solutions. The regulation seeks to clearly establish who is to be held accountable for data breaches and urges that organizations have clear-cut awareness and action plans for breach response.
Companies are required to set criteria, develop an incident response plan and implement the right cybersecurity mechanisms to prevent the breach or loss of personal information. Furthermore, organizations are required to explicitly disclose data encryption standards in contracts with all third-party service providers and ensure that standards are held up across the service experience. Finally, the regulation stipulates that these cybersecurity implementations should be overseen by a Chief Information Security Officer (CISO).
Head spinning yet? State regulations can be bogged down in overly-technical talk, so let’s break down the exact mandates that Covered Entities should be aware of:
- Organizations must implement a strong cybersecurity framework, including requirements for a plan that is sufficiently funded, staffed and overseen by qualified management, as well as, reported on periodically to the most senior governing body of the organization
- Organizations must utilize risk-based minimum standards for technology systems, including access controls, data protection, encryption and penetration testing. Encryption requirements for in-transit data protection take precedence and must be met by January 2018. Compliance for at-rest data protection must be met by January 2022.
- Organizations must set out mandatory minimum standards to address any cyber incident, including a dynamic incident response plan, proactive protection of data in response to the breach, and swift notification to the Department of Financial Services (DFS) of all material events.
- Organizations must ensure that company executives certify compliance with the NYDFS regulations on an annual basis. If certifications are not maintained or falsely reported to DFS, organizations leave themselves open to legal claims in the case of a breach.
Staying 23 NYCRR 500 Compliant: How to Get Your Business Up to Code
Now that the basics are laid out, most organizations are wondering – how do I put a plan in action to get and stay compliant? First and foremost, organizations should assess and take a detailed inventory of their current cybersecurity situation.
Evaluate the sheer amount of personal data your organization is accountable for and get rid of old data archives that are no longer relevant. Additionally, take inventory and log all the machines and devices that will need to remain monitored and compliant. By understanding the demands of your organization’s environment, implementing customized and reliable security standards will be easier.
In terms of implementing new standards and policies, here are the top areas for consideration:
Appoint a Chief Information Security Officer (CISO)
Having a specific employee designated to spearhead and monitor security and compliance issues is a fail-safe way to ensure client data is safe and 23 NYCRR 500 standards are upheld. Appointing a CISO is also helpful in streamlining security challenges, as team members are clear on who to approach with questions and concerns.
Establish a Dynamic Cyber Security Program
Organizations should ensure they deploy cybersecurity programs that are dynamic and all-encompassing. The program should cover all aspects of data security and compliance including strategies for data classification, access controls, systems operations, network monitoring, network security, disaster recovery, business continuity, etc.
Develop Detailed Cyber Security Policies
Cybersecurity policies should be clear-cut and consistently enforced. All employees should have access to the organization’s cybersecurity policy documents to ensure efforts to remain compliant are understood and brought full-circle. Policies should include clear guidelines for incident response, client data security, asset inventory, system control and management, vendor relations, risk classification, etc.
Proactively Manage Vendor Relationships
Organizations should ensure that vendor contracts have detailed stipulations about security and compliance standards. Furthermore, there should be a consistent effort to ensure compliance and security standards are upheld by all third-party service providers. This includes implementing annual penetration tests and bi-annual vulnerability assessments to ensure activity with all vendors remains secure and compliant.
Create a Transparent Incident Response Plan
No matter how prepared an organization is, cyber-attacks and data breaches still happen. The key here is making sure your organization has a transparent and strategic plan for responding to cyber-attacks. 23 NYCRR 500 requires organizations to not only create detailed incident response plans but also demands that all cyber incidents be reported to the NYDFS within 72 hours.
For New York state finance and insurance agencies, 23 NYCRR 500 may seem like a nuance or a huge hassle. But organizations should remember that these regulations are designed specifically to support these industries in an increasingly tech-based environment.
While protecting client data is the number one priority, these regulations also ensure that protections are in place for finance and insurance bodies. By getting up to code, these organizations protect themselves from the larger operational and legal hassles that can result from unexpected attacks and weak cybersecurity planning.
Whatever you do, don’t put off these compliance concerns. Putting 23 NYCRR 500 compliance on the back burner can result in NYDFS sanctions. Not to mention the risk you put your business in by avoiding the regulations or falling behind the pack.
Take the time to understand your network and determine how to best implement custom-fit cybersecurity plans and policies. If you’re overwhelmed, reach out to a team of local cybersecurity experts for guidance and consultation. Don’t get caught up in non-compliance – protect your clients and protect the business by adhering to 23 NYCRR 500 standards.