Comply with New York State Cyber Security Requirements
The new cybersecurity regulations by the New York State Department of Financial Services (DFS) are officially known as Part 500 of Title 23 of the Official Compilation of Codes, Rules and Regulations of the State of New York, or 23 NYCRR 500 for short.
New York State has passed strict new cybersecurity requirements for financial services companies doing business in New York, and affected organizations will need to prove compliance with the regulations beginning in February 2018.
New York Governor Andrew Cuomo said the "first-in-the-nation" cybersecurity regulations are necessary to "guarantee the financial services industry upholds its obligation to protect consumers and ensure that its systems are sufficiently constructed to prevent cyber-attacks to the fullest extent possible."
You may be wondering what the regulations say and how to comply. We put together this brief FAQ to help you understand what the regulations cover, and what protections you should consider meeting compliance requirements. Although this doesn’t constitute legal advice, we hope this FAQ helps you begin the process of planning your next steps for compliance.
Who is covered?
The DFS is the regulatory body that oversees financial services companies licensed by or operating in New York State. Organizations covered by the new cybersecurity regulations include banks and trust companies, insurance companies, mortgage lenders, investment companies, brokers and other financial service providers. There are some exemptions for some smaller organizations.
When do the regulations go into effect?
The regulations went into effect on March 1, 2017. There is an 180-day grace period for companies to comply. Affected organizations must provide a Certification of Compliance to the DFS beginning February 15, 2018.What do the regulations require?
What do the regulations require?
The regulations include a comprehensive list of requirements for protecting information systems from cybersecurity threats and unauthorized access to “non-public information.” Below is a partial list of some the regulations include a comprehensive list of requirements for protecting information systems from cybersecurity threats and unauthorized access to “non-public information."
Covered Entities Must
Implement a cybersecurity program with written policies and an audit trail
Employ a Chief Information Security Officer (CISO) and dedicated cybersecurity personnel
Identify cyber risks and conduct penetration testing at least annually and vulnerability assessment at least quarterlySecure applications by ensuring the use of secure development practices for in-house developed applications, and implement procedures for assessing and testing the security of all externally developed applications
Secure applications by ensuring the use of secure development practices for in-house developed applications, and implement procedures for assessing and testing the security of all externally developed applicationsAssess risk to non-public information and information systems accessible or held by third parties, and conduct third-party security assessments at least annually
Assess risk to non-public information and information systems accessible or held by third parties, and conduct third-party security assessments at least annually
Provide and require all personnel attend regular cyber security awareness training
Implement controls, including encryption, to protect non-public data in transit and at rest
Establish an incident response plan, including notification of regulatory agencies
How We Can Help
Strategic organizations understand that they cannot treat compliance as an end in itself, but as the outcome of an ongoing process. InfoSecure provides a variety of methods to assess security and compliance with the standard. Our team helps by:, compliance, and development team reporting, and secure development training. InfoSecure helps deliver continuous compliance by:
- Providing application security testing that integrates into your software development lifecycle
- Conducting regular discovery scans of the web applications in your domain, including temporary marketing sites, international domains, etc.
- Continuously monitoring your production web applications for vulnerabilities
- Providing virtual patching for your web application firewalls based on the security intelligence from your application assessments
InfoSecure's skilled assessors will ensure that your organization meets the intent and rigor of the standard. Our services include:
- Risk Assessment
- Vulnerability Scanning
- Incident Response
- Penetration Testing
- Policy and Procedure Development
InfoSecure Tailors Each Engagement to our Client's Specific Needs and Provides Unsurpassed Customer Service throughout the Project Lifecycle.
Let Us Help Your Organization Comply with 23 NYCRR
All it takes is your name and phone number or email address to learn more about our services and expertise. If you'd like, you'll also be able to send additional details after you submit your information here.