In New York, a new cybersecurity regulatory regime will go into effect March 1st 2017. The proposed cybersecurity regulation, known as 23 NYCRR 500, has grabbed the attention of companies doing business in New York, and others who might be anticipating cybersecurity requirements in their own jurisdictions and/or industries.
New York Governor Andrew Cuomo announced the new "first-in-the-nation" cybersecurity regulation in September 2016, saying it is necessary to "guarantee the financial services industry upholds its obligation to protect consumers and ensure that its systems are sufficiently constructed to prevent cyber-attacks to the fullest extent possible." The proposed regulation is currently being reviewed by the DFS to take into account comments by the banking industry.
Wondering how to comply with the new regulation?
Here is a short FAQ to help you understand whether and how this regulation affects your organization, what the regulation covers from a security standpoint, and what protections you should consider to meet compliance requirements. This is not legal advice, but we hope this FAQ helps you start the compliance planning process.
What is 23 NYCRR 500?
The new cybersecurity regulation proposed by the New York State Department of Financial Services (DFS) is officially known as Part 500 of Title 23 of the Official Compilation of Codes, Rules and Regulations of the State of New York, or 23 NYCRR 500 for short.
Who is covered?
The DFS is the regulatory body that oversees financial services companies licensed by or operating in New York State. Organizations covered by the new cybersecurity regulation include banks and trust companies, insurance companies, mortgage lenders, investment companies, brokers and other financial services providers. There are some exemptions for some smaller organizations.
When does it go into effect?
Once it is final, the regulation is scheduled to go into effect on March 1, 2017. As originally proposed, there is a 180-day grace period for companies to comply. A further requirement to provide a Certification of Compliance to the DFS commence will commence in January 2018.
What does the regulation require?
The proposed regulation includes a comprehensive list of requirements for protecting information systems from cybersecurity threats and unauthorized access of “non-public information.” Below is a partial list of some of the main requirements.
Heightened Board-Level Expectations.
Under the Rules, Covered Entities are required to implement and maintain a written cybersecurity policy. The policy must be approved by the Board (or its equivalent) or an appropriate Board committee or a Senior Officer. Our training will help your Board members or Senior Officers understand the key components and create a framework for reviewing a cybersecurity policy.
Non-Public Information
The Rules apply to “non-public information.” Through our training, your employees will be stepped through the concepts of what constitutes “non-public information” and learn best practices to handling and using such information.
Penetration Testing and Vulnerability Assessments
Your organization may be required to conduct annual penetration testing and bi-annual vulnerability assessments based on the results of your Risk Assessment. Our training, services, and tools can assist your organization with meeting these requirements.
Third Party Service Providers
Covered Entities are required to have policies and procedures in place designed to ensure the security of Third Party Service Providers. KnowBe4 can help you determine relevant due diligence guidelines for assessing Third Party Service Providers and appropriate contractual provisions to use to protect your “non-public information” in third party arrangements.
Data Retention
Covered Entities must have policies and procedures for securely disposing “non-public information” on a periodic basis. Our training will guide your employees on best practices for crafting retention policies and develop methods for identifying and securely disposing non-public data.
Cybersecurity Event Obligations
Covered Entities must notify the Department of Financial Services within 72 hours of making a determination that a cybersecurity event of the following types has occurred: (1) a cybersecurity event that has a reasonable likelihood of materially "harming" the normal operations of the Covered Entity and (2) a cybersecurity event that requires notice to be provided to any governmental or supervisory body or self-regulatory agency. KnowBe4’s training will walk your employees through the initial steps that should be taken in the event of a Cybersecurity Event, how to provide notice, and what actions should be taken to remedy the situation.
Awareness Training and Monitoring
As part of its cybersecurity program, each Covered Entity shall: (1) implement risk-based policies, procedures and controls designed to monitor the activity of Authorized Users and detect unauthorized access or use of, or tampering with, Nonpublic Information by such Authorized Users; and (2) provide for regular cybersecurity awareness training for all personnel that is updated to reflect risks identified by the Covered Entity in its Risk Assessment.
KnowBe4 is able to provide training that complies with the 23 NYCRR 500 regulation. Find out how affordable this is for your organization and get a quote now:
or cut & paste this link in your browser:
https://info.knowbe4.com/enterprise_get_a_quote_now
