The state of New York late last year adopted a set of compliance requirements for businesses and organizations that report to the Department of Financial Services (DFS). The regulation, known officially as 23 NYCRR 500, will affect a wide array of industries, from banking and insurance to mortgage brokers. Although it went into effect as of March 1, the regulation is allowing affected organizations a transitional period of 180 days (i.e., until Sept. 1) to achieve the first round of compliance.
Specifically, the new requirements mandate any organization overseen by New York’s DFS to comply with regulations meant to anticipate, address and thwart cybercriminals. According to 23 NYCRR, Section 500.0, “This regulation requires each company to assess its specific risk profile and design a program that addresses its risks in a robust fashion.”
Limited exemption does apply to covered entities with fewer than 10 employees or less than $5 million in gross revenue, or less than $10 million in year-end total assets. Additionally exempt are employees, agents, representatives or designees of a covered entity, and covered entities that do not directly or indirectly operate, maintain, utilize or control any information systems. Those that do qualify for the limited exemption must file a notice with the DFS.
Either way, these new requirements will significantly impact thousands of businesses throughout New York. Organizations need to be aware of what they need to do and leave themselves enough time to comply.
The swath of organizations that are affected is wide; the DFS oversees the following industries and types of organizations:
banks and trust companies
domestic representative offices
foreign bank branches
foreign representative offices
health insurers, accident and related entities
life insurance companies
mortgage bankers, brokers, loan originators and servicers
New York State regulated corporations
premium finance agencies
property and casualty insurance companies
safe deposit companies
sales finance companies
savings banks and savings and loan associations (S&Ls)
service contract providers
What To Do Now
For businesses that fall under the oversight of the DFS, proposed requirements that need to be met by the first (Sept. 1) deadline include establishing and maintaining a cybersecurity program, implementing and maintaining a cybersecurity policy, designating a qualified individual (internal or outsourced) to serve as chief information security officer (CISO), limiting user access privileges as part of the cybersecurity program, utilizing qualified cybersecurity personnel, establishing a written incident response plan, notifying the superintendent of cybersecurity events as required, and filing a notice of exemption with the superintendent.
Later requirements include submitting an annual certification of compliance to the superintendent, implementing a third-party information security policy, requiring multi-factor authentication, implementing limitations on data retention, ensuring training and monitoring, and encrypting nonpublic information. The cybersecurity program must also include penetration testing and vulnerability assessments, audit trail systems, access privileges, application security and risk assessment.
To meet these requirements, businesses might consider several options, depending on the size of the organization within the marketplace, as well as what level of internal IT capabilities they already possess. For some, specifically those smaller organizations with no current internal IT capabilities, a turnkey solution would make the most sense. In these cases, businesses should look for a package of services that meets all of the requirements set forth in 23 NYCRR 500. (Be sure to partner with an IT provider that is fully aware of these requirements.)
Small to mid-size businesses that may have some internal or outsourced IT capability might need to look for assistance in ensuring compliance with all of the regulations; e.g., identifying an organization that can serve as the company’s CISO. Larger organizations with established internal IT departments might find they need assistance with only one or two of the regulations; in this case, finding an IT partner that can offer a la carte services based on 23 NYCRR 500 makes the most sense.
As cybercriminals continue to become more sophisticated every day, the concerns that inspired the new regulations are real, and other states are considering similar measures. No doubt many businesses are already doing the right thing in terms of protecting their clients’ and their own critical information. 23 NYCRR 500 is meant to ensure that nothing is overlooked in terms of cybersecurity, and to ensure that systems are in place to continually asses and improve an organization’s cybersecurity protection.■
Al Alper is founder and CEO of Absolute Logic (www.absolutelogic.com). He may be contacted at firstname.lastname@example.org or (855) 255-1550.